[
https://issues.apache.org/jira/browse/HADOOP-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15044180#comment-15044180
]
Matt Foley commented on HADOOP-12617:
-------------------------------------
The proposed patch provides the required functionality with no changes to API
signatures or exceptions, and following the model of other code in
KerberosUtils.java.
Furthermore, I grepped all java files in a broad set of Hadoop ecosystem
components:
* accumulo, atlas, calcite, datafu, falcon, flume, hadoop, hbase, hive, hue,
kafka, knox, mahout, oozie, phoenix, pig, ranger, slider, spark, sqoop, storm,
tez, zookeeper
and found that no code calls KerberosUtils.getServicePrincipal() directly
except that in the Hadoop auth package. Both instances there use the result
ONLY as an argument for an immediate call to gssManager.createName(), which
accepts the fully qualified principal and does the right thing with it. So I
believe this patch is safe.
> SPNEGO authentication request to non-default realm gets default realm name
> inserted in target server principal
> --------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-12617
> URL: https://issues.apache.org/jira/browse/HADOOP-12617
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.1
> Environment: Java client talking to two secure clusters in different
> Kerberos realms,
> or talking to any secure cluster in non-default realm
> Reporter: Matt Foley
> Assignee: Matt Foley
>
> Note: This is NOT a vulnerability.
> In order for a single Java client to communicate with two different secure
> clusters in different realms (only one of which can be the "default_realm"),
> the client's krb5.conf file must specify both realms, and provide a
> \[domain_realm\] section that maps cluster servers' domains to the correct
> realms. With other appropriate behaviors (such as using the config from each
> cluster to talk to the respective clusters, and a user principal from each
> realm to talk to the respective realms), this is sufficient for most Hadoop
> ecosystem clients.
> But our SPNEGO using clients, such as Oozie, have a bug when it comes to
> talking to a non-default realm. The default realm name gets incorrectly
> inserted into the construction of the target server principal for the
> non-default-realm cluster. Details and proposed solution are given in the
> first comments below.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
