hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Issac Buenrostro (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Fri, 26 Apr 2019 17:54:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16827162#comment-16827162
] 

Issac Buenrostro commented on HADOOP-16214:
-------------------------------------------

[~eyang] thanks for the security suggestions, many of our principals are indeed host specific.
Is it the case that adding more components to the principal will prevent host specific principals
to verify matching host?

For the proposal of mechanism == mit for multiple components, that seems reasonable to me.
Just to clarify, what do you mean by "more than 2 components don't become service principal"?

> Kerberos name implementation in Hadoop does not accept principals with more than two
components
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch, HADOOP-16214.002.patch,
HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch,
HADOOP-16214.007.patch, HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch,
HADOOP-16214.011.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message