[
https://issues.apache.org/jira/browse/KUDU-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16127875#comment-16127875
]
Todd Lipcon commented on KUDU-2096:
-----------------------------------
It appears the JDK Kerberos implementation does some limited canonicalization:
https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/sun/security/krb5/PrincipalName.java#L386
Specifically, it calls {{InetAddress.getByName}} and if the resulting name is
just more-qualified version of the original name ("foo" -> "foo.example.com")
then it will do that canonicalization.
It seems that if we are OK using some internal APIs, we can use
sun.security.krb5.Config to read the configured krb5.conf and match the
behavior of the C++ client without having to add a new Java-specific
configuration in the client.
> Document necessary configuration for Kerberos with master CNAMEs
> ----------------------------------------------------------------
>
> Key: KUDU-2096
> URL: https://issues.apache.org/jira/browse/KUDU-2096
> Project: Kudu
> Issue Type: Task
> Components: documentation, security
> Reporter: Todd Lipcon
>
> Currently our docs recommend using CNAMEs for master addresses to simplify
> moving them around. However, if clients connect to a master with its
> non-canonical name, there are some complications with Kerberos principals,
> etc. We should test and document the necessary steps for such a configuration.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
