hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Thu, 11 Apr 2019 17:15:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16815640#comment-16815640

Eric Yang commented on HADOOP-16214:

[~daryn] I think I overlooked the result of testing regex in patch 9 incorrectly.  My apologies. 
Bad inputs will indeed get rejected by your patch.  A couple problems in patch 9:

# Patch does not apply correctly, there is previous state that you may have committed to base
on patch 8 commit.
# Patch will return component 2 as hostname regardless of how many components are in the
principal name.  This is different from RFC1510 spec.  
# KerberosName does not apply hostname format check, and given anything in component two as
hostname.  This will be inaccurate, given a short name like "admin" may lead to host of multiple
destinations that are not relevant to the intended principal.  
# In previous patches, it makes sure that component 2 is a FQDN format before consider it
as a hostname.  
# Changed TestKerberosName#testAntiPatterns test case into a for loop for 10000 times, it
failed to run.  It looks like internal states are inconsistent.
# improved toString performance, but the output is not the same format as before.
# a/@EXAMPLE.COM is legit kerberos principal.  Patch 8 handles this correctly and it does
not mark this as a host principal.  Patch 9 does not.

What can be better in patch 8:
#  Clean up serviceName to be name like in patch 9 to make variable less confusing.
# Patch 8 does not check component 2 for simple security for hostname format.

Performance wise, patch 8 is likely to take less time to execute.  Although condition block
looks big, the actual parsing without regex is much faster.  10000 runs of testAntiPattern
took 0.75 second, each iteration is 75 micro seconds.  I could not repeat the same test for
patch 9.

> Kerberos name implementation in Hadoop does not accept principals with more than two
> -----------------------------------------------------------------------------------------------
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch, HADOOP-16214.003.patch,
HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch,
HADOOP-16214.008.patch, HADOOP-16214.009.patch
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message