hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Tue, 09 Apr 2019 14:51:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813499#comment-16813499

Daryn Sharp commented on HADOOP-16214:

{quote}we encode information in the additional components of a Kerberos principal, which is
allowed by the spec.
Let's start with an excerpt of RFC1510 to see if that's true.  Spoiler: extra components
are allowed but not arbitrary ones.
{panel:title=The Kerberos Network Authentication Service (V5)}
*7.2.1. Name of server principals*

The principal identifier for a server on a host will generally be composed of two parts: (1)
the realm of the KDC with which the server is registered, and (2) a two-component name of
type NT-SRV-HST if the host name is an Internet domain name or a multi-component name of type
NT-SRV-XHST if the name of the host is of a form such as X.500 that allows slash (/) separators.
+The first component of the two- or multi-component name will identify the service+ and the
+latter components will identify the host+.
#1 and #2 are the existing RFC compliant behavior. Patch introduces #3 which violates the
 # HTTP – service=HTTP host=(null)
 # HTTP/abc.com – service=HTTP host=abc.com
 # HTTP/abc.com/admin – service=HTTP/abc.com/admin host=(null)

We are left with these options:
 # Do nothing: require admin to not "abuse" multi-component principals, instead embed extra
info in the first component, ie. "HTTP;admin/abc.com"
 # RFC compliant: #3 should be service=HTTP host=abc.com/admin, but unlikely to work when
the host is expected to be a host
 # RFC non-compliant: possibly consider middle ground of service=HTTP host=abc.com

> Kerberos name implementation in Hadoop does not accept principals with more than two
> -----------------------------------------------------------------------------------------------
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch, HADOOP-16214.003.patch,
HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch,
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message