hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Tue, 16 Apr 2019 21:28:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16819518#comment-16819518
] 

Daryn Sharp commented on HADOOP-16214:
--------------------------------------

[~eyang]. You've lost all decorum and are conflating this Jira with the last time you changed this
code and I discovered a massive CVE.  I will not bother defending myself or patch against
your word salad of false accusations and ad-hominem attacks.

 

[~xkrogen], my patch is something I'd feel comfortable deploying because of the compatibility.
 Here's what it does:
|| ||principal||serviceName||hostname||$0||$1||$2||$3||
| |daryn@REALM|daryn|(null) |REALM|daryn|
| |daryn/@REALM|INVALID|
| |daryn/host@REALM|daryn|host|REALM|daryn|host|
|new|daryn/host/admin@REALM|daryn|host|REALM|daryn|host|admin|
 * Modify regexp to match n-many extra components
 * DEFAULT rule will not match more than 2 components.
 * Add your own rule to match these newly supported principals.
 * Effectively nothing changes for current deployments.

––

Eric wants the service handled similar to below.  I might have something minority off but
this patch has consumed too much time.
|| ||principal||serviceName||hostname||$0||$1||$2||$3||
| |daryn@REALM|daryn|(null)|REALM|daryn|
|regress|daryn/@REALM|daryn/|(null)|REALM|daryn| ""|
| |daryn/ipv4-host@REALM|daryn|ipv4-host|REALM|daryn|ipv4-host|
|regress|daryn/ipv6-host@REALM|daryn/ipv6-host|(null)|REALM|daryn|ipv6-host|
|new|daryn/host/admin@REALM|daryn/host/admin|(null)|REALM|daryn|host|admin|
 * Unnecessarily rewrote parser.
 * Regressions.
 * Service is supposed to be the 1st component but now it becomes context-sensitive which
also adds regressions
 * DEFAULT rule will unexpectedly match the new principals.  It's effectively the CVE again.
 * Can't block the new principals if you don't want them.
 * Existing behavior regresses, inconsistent new behavior, principals formerly blocked are
allowed through w/o action by the admin.

> Kerberos name implementation in Hadoop does not accept principals with more than two
components
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch, HADOOP-16214.003.patch,
HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch,
HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch, HADOOP-16214.011.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message