hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Wed, 10 Apr 2019 19:59:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16814831#comment-16814831
] 

Eric Yang commented on HADOOP-16214:
------------------------------------

[~daryn] {quote}By design, the regexp previously rejected those 2 invalid use cases.  It's
not a regression.  How is it relevant to this jira?{quote}

The bad data input matches your proposed regex and also previous faulty regex.  It does not
do additional check for @ in components part of the string after regex matches.  The interpretation
of how auth_to_local works in Hadoop is flawed, and this was hidden by exposing only $0..$2
as regex group index, but it is still vulnerable to program try to manipulate bad input strings.
 The fault regex let $2=="" slip through, also a/@c@EXAMPLE.COM end up with: $0=c@EXAMPLE.COM.

MIT auth_to_local is non-bias toward parsing UPN or SPN.  MIT Kerberos focus on knowing number
of components in the principal, and which group index to replace aname with lname. 

{quote}The proposed patch seems to meet the needs of Issac and should have no objectionable
semantic parsing changes?{quote}

The parsing by JDK's own KerberosPrincipal give confidence that the input is accurate.  The
parser changed to MIT Kerberos technique to map aname to lname.  Fortunately, existing Hadoop
auth_to_local rules does not need to change.

> Kerberos name implementation in Hadoop does not accept principals with more than two
components
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch, HADOOP-16214.003.patch,
HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch,
HADOOP-16214.008.patch, HADOOP-16214.009.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message