[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068814#comment-16068814 ] Daryn Sharp commented on HADOOP-13565: -- FYI, this patch was obsoleted by HADOOP-14146. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068182#comment-16068182 ] Brahma Reddy Battula commented on HADOOP-13565: --- [~xyao] can you mark this as incompatible and update the release notes..? looks {{3.0.0-alpha2}} already went without this releasenotes. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15748535#comment-15748535 ] Eric Badger commented on HADOOP-13565: -- Can we revert this until the issues are fixed? > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15746550#comment-15746550 ] Xiaoyu Yao commented on HADOOP-13565: - Thanks [~daryn]. The problem is in HADOOP-13565, we enforce an additional principal check requiring SPNEGO principal to have three complete parts: HTTP, hostname and realm. This prevents principal like HTTP/localhost from being used. By relaxing the requirement on realm parts, we maintain the support for principals like HTTP/host. Unlike the first two patches for HADOOP-13890, the 3rd one is a simpler fix that addresses the compatibility concerns without changing the original unit tests. To make this work, we also found and fixed the KerberosName parsing bug to handle principals like HTTP/host. Please review and let me know your thoughts. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15743539#comment-15743539 ] Daryn Sharp commented on HADOOP-13565: -- I've been told this patch broke our testing pipelines. I don't have details but perhaps this patch should be considered for revert until we are sure what the problem(s) are. I'll look at this patch tomorrow. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15741174#comment-15741174 ] Xiaoyu Yao commented on HADOOP-13565: - Looks like a bug in KerberosName parsing where the SPNEGO principal used in these failed tests "HTTP/localhost" (without realm name) can not be parsed correct. KerberosName returns "HTTP/localhost" as the service name and null hostname and null realm. I will post a patch to fix the test SPNEGO principles to include the realm name and open separate ticket for KerberosName parsing issue. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15741078#comment-15741078 ] Xiaoyu Yao commented on HADOOP-13565: - Thanks [~ajisakaa] for the heads up. I just assigned HADOOP-13890 to myself and will investigate and fix it shortly. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15740797#comment-15740797 ] Akira Ajisaka commented on HADOOP-13565: Hi [~xyao] and [~jnp], this commit broke HADOOP-13890. Could you check this? > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15737306#comment-15737306 ] Hudson commented on HADOOP-13565: - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10985 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/10985/]) HADOOP-13565. KerberosAuthenticationHandler#authenticate should not (xyao: rev 4c38f11cec0664b70e52f9563052dca8fb17c33f) * (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch, HADOOP-13565.03.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15733929#comment-15733929 ] Hadoop QA commented on HADOOP-13565: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 10s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 53s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 24s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 17s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 9m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 18s{color} | {color:green} hadoop-common-project/hadoop-auth: The patch generated 0 new + 0 unchanged - 28 fixed = 0 total (was 28) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 31s{color} | {color:green} hadoop-auth in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 30s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 35m 9s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:a9ad5d6 | | JIRA Issue | HADOOP-13565 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12842455/HADOOP-13565.03.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 9df2e16e82c0 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 13d8e55 | | Default Java | 1.8.0_111 | | findbugs | v3.0.0 | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/11225/testReport/ | | modules | C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/11225/console | | Powered by | Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15733574#comment-15733574 ] Jitendra Nath Pandey commented on HADOOP-13565: --- For code that splits the principal to parse out different parts, it will be better to use {{KerberosName}} class. This should be a minor refactoring. +1 otherwise. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, > HADOOP-13565.02.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15733487#comment-15733487 ] Hadoop QA commented on HADOOP-13565: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 12s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 8m 12s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 10m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 26s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 17s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 30s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 17s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 9m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 18s{color} | {color:green} hadoop-common-project/hadoop-auth: The patch generated 0 new + 0 unchanged - 28 fixed = 0 total (was 28) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 34s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 34s{color} | {color:green} hadoop-auth in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 34s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 38m 27s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:a9ad5d6 | | JIRA Issue | HADOOP-13565 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12842408/HADOOP-13565.02.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 76a0fa82277e 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 401c731 | | Default Java | 1.8.0_111 | | findbugs | v3.0.0 | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/11221/testReport/ | | modules | C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/11221/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15733061#comment-15733061 ] Hadoop QA commented on HADOOP-13565: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 10s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 7m 2s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 32s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 25s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 17s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 9m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 9m 18s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 19s{color} | {color:orange} hadoop-common-project/hadoop-auth: The patch generated 36 new + 17 unchanged - 11 fixed = 53 total (was 28) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 34s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 33s{color} | {color:green} hadoop-auth in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 29s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 35m 42s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:a9ad5d6 | | JIRA Issue | HADOOP-13565 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12839099/HADOOP-13565.01.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 8cb94f4d5284 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / c265515 | | Default Java | 1.8.0_111 | | findbugs | v3.0.0 | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-auth.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/testReport/ | | modules | C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL:
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15638118#comment-15638118 ] Hudson commented on HADOOP-13565: - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10776 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/10776/]) Revert "HADOOP-13565. KerberosAuthenticationHandler#authenticate should (xyao: rev 95665a6eea32ff7134ea556db4dd4ae068364fc0) * (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Attachments: HADOOP-13565.00.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15572768#comment-15572768 ] Hudson commented on HADOOP-13565: - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10604 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/10604/]) HADOOP-13565. KerberosAuthenticationHandler#authenticate should not (xyao: rev 9097e2efe4c92d83c8fab88dc11be84505a6cab5) * (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 2.5.0 >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Fix For: 2.8.0 > > Attachments: HADOOP-13565.00.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principal (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15566473#comment-15566473 ] Xiaoyu Yao commented on HADOOP-13565: - Thanks [~arpitagarwal] for the review. In case other folks on the watcher list have additional comments, I will hold off the commit until 10/13. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Attachments: HADOOP-13565.00.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principle (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15566436#comment-15566436 ] Arpit Agarwal commented on HADOOP-13565: +1 Thanks for tracking this down and the fix [~xyao]. > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > Attachments: HADOOP-13565.00.patch > > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at http://NN1.example.com:50070 from > client.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP Host > field from the request header provided by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > always return a SPN with local realm (HTTP/nn.example@example.com) no > matter the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principle (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15453521#comment-15453521 ] Hadoop QA commented on HADOOP-13565: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 13s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 56s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 54s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 13s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 17s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 11s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 12s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 12s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 46s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 46s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 12s{color} | {color:orange} hadoop-common-project/hadoop-auth: The patch generated 1 new + 28 unchanged - 0 fixed = 29 total (was 28) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 11s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 12s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 3m 15s{color} | {color:red} hadoop-auth in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 21s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 28m 38s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.security.authentication.util.TestZKSignerSecretProvider | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:9560f25 | | JIRA Issue | HADOOP-13565 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12826502/HADOOP-13565.00.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 67d7f472045a 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 85bab5f | | Default Java | 1.8.0_101 | | findbugs | v3.0.0 | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-auth.txt | | unit | https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-auth.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/testReport/ | | modules | C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically
[jira] [Commented] (HADOOP-13565) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
[ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15450380#comment-15450380 ] Xiaoyu Yao commented on HADOOP-13565: - Also notice the change to use servername from http request to build server SPN and retrieve credential was introduced as part of HADOOP-10158 to support multiple SPNs. Not sure if rebuild SPN based on client request is necessary for multiple SPN support. If yes, we can keep the old behavior if no multiple SPN is being used by authenticating with the default login SPN specified. This way, the use case above will continue to work after HADOOP-10158. cc: the original contributor of HADOOP-10158 [~daryn]/[~kihwal] for additional feedback on this. Thanks in advance! > KerberosAuthenticationHandler#authenticate should not rebuild SPN based on > client request > - > > Key: HADOOP-13565 > URL: https://issues.apache.org/jira/browse/HADOOP-13565 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiaoyu Yao >Assignee: Xiaoyu Yao > > In KerberosAuthenticationHandler#authenticate, we use canonicalized server > name derived from HTTP request to build server SPN and authenticate client. > This can be problematic if the HTTP client/server are running from a > non-local Kerberos realm that the local realm has trust with (e.g., NN UI). > For example, > The server is running its HTTP endpoint using SPN from the client realm: > hadoop.http.authentication.kerberos.principal > HTTP/_HOST/TEST.COM > When client sends request to namenode at example@example.com with > http://NN.example.com:50070 from somehost.test@test.com. > The client talks to KDC first and gets a service ticket > HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO > negotiation. > The authentication will end up with either no valid credential error or > checksum failure depending on the HTTP client naming resolution or HTTP > header of Host specified by the browser. > The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will > return a SPN with local realm (HTTP/nn.example@example.com) no matter > the server login SPN is from that domain or not. > The proposed fix is to change to use default server login principle (by > passing null as the 1st parameter to gssManager.createCredential()) instead. > This way we avoid dependency on HTTP client behavior (Host header or name > resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org