[
https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629340#comment-16629340
]
Andor Molnar edited comment on ZOOKEEPER-3156 at 9/26/18 8:13 PM:
------------------------------------------------------------------
We should use getCanonicalHostName() to force reverse ip lookup and get the
FQDN of the server according to this javadoc:
https://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html#getCanonicalHostName()
Introducing a switch to enable reverse dns lookups would be inline with
Kerberos client behaviour:
http://web.mit.edu/kerberos/krb5-current/doc/admin/princ_dns.html
In the krb5 client you can disable canonicalization with rdns=false setting.
I can put together a patch tomorrow if needed.
was (Author: andorm):
We should use getCanonicalHostName() to force reverse ip lookup and get the
FQDN of the server according to this javadoc:
https://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html#getCanonicalHostName()
Introducing a switch to enable reverse dns lookups would be inline with
Kerberos client behaviour:
http://web.mit.edu/kerberos/krb5-current/doc/admin/princ_dns.html
In the krb5 client you can disable canonicalization with rdns=false setting.
> ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
> -----------------------------------------------------------------------
>
> Key: ZOOKEEPER-3156
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Affects Versions: 3.6.0, 3.4.13, 3.5.5
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
>
> Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured
> host name before creating the SASL client which is used to create the
> principal name. After ZOOKEEPER-2184 that canonicalization does not happen
> so the principal that the ZK client tries to use when it is configured to
> talk to a CName is different between 3.4.13 and all previous versions of ZK.
>
> For example
>
> zk1.mycluster.mycompany.com maps to real-node.mycompany.com.
>
> 3.4.13 will want the server to have
> [zookeeper/zk1.mycluster....@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster....@kdc.mycompany.com]
> 3.4.12 wants the server to have
> [zookeeper/real-node.mycompany....@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany....@kdc.mycompany.com]
>
> This makes 3.4.13 incompatible with many ZK setups currently in existence.
> It would be nice to have that resolution be optional because in some cases it
> might be nice to have a single principal tied to the cname.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
