[
https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16815640#comment-16815640
]
Eric Yang edited comment on HADOOP-16214 at 4/18/19 1:03 AM:
-------------------------------------------------------------
[~daryn] I think I overlooked the result of testing regex in patch 9
incorrectly. My apologies. Bad inputs will indeed get rejected by your patch.
A couple problems in patch 9:
# Patch does not apply correctly, there is previous state that you may have
committed to base on patch 8 commit.
# Patch will return component 2 as hostname regardless of how many components
are in the principal name. This is different from RFC1510 spec.
# KerberosName does not apply hostname format check, and given anything in
component two as hostname. This will be inaccurate, given a short name like
"admin" may lead to host of multiple destinations that are not relevant to the
intended principal.
# In previous patches, it makes sure that component 2 is a FQDN format before
consider it as a hostname.
# Changed TestKerberosName#testAntiPatterns test case into a for loop for 10000
times, it runs with 66 microseconds vs 75 microseconds (patch 8) per run.
(correction, error in my pervious test procedure)
# improved toString performance, but the output is not the same format as
before.
# a/@EXAMPLE.COM is legit kerberos principal. Patch 8 handles this correctly
and it does not mark this as a host principal. Patch 9 does not.
What can be better in patch 8:
# Clean up serviceName to be name like in patch 9 to make variable less
confusing.
# Patch 8 does not check component 2 for simple security for hostname format.
Performance wise, patch 8 is likely to take less time to execute. Although
condition block looks big, the actual parsing without regex is much faster.
10000 runs of testAntiPattern took 0.75 second, each iteration is 75 micro
seconds. I could not repeat the same test for patch 9.
was (Author: eyang):
[~daryn] I think I overlooked the result of testing regex in patch 9
incorrectly. My apologies. Bad inputs will indeed get rejected by your patch.
A couple problems in patch 9:
# Patch does not apply correctly, there is previous state that you may have
committed to base on patch 8 commit.
# Patch will return component 2 as hostname regardless of how many components
are in the principal name. This is different from RFC1510 spec.
# KerberosName does not apply hostname format check, and given anything in
component two as hostname. This will be inaccurate, given a short name like
"admin" may lead to host of multiple destinations that are not relevant to the
intended principal.
# In previous patches, it makes sure that component 2 is a FQDN format before
consider it as a hostname.
# Changed TestKerberosName#testAntiPatterns test case into a for loop for 10000
times, it failed to run. It looks like internal states are inconsistent.
# improved toString performance, but the output is not the same format as
before.
# a/@EXAMPLE.COM is legit kerberos principal. Patch 8 handles this correctly
and it does not mark this as a host principal. Patch 9 does not.
What can be better in patch 8:
# Clean up serviceName to be name like in patch 9 to make variable less
confusing.
# Patch 8 does not check component 2 for simple security for hostname format.
Performance wise, patch 8 is likely to take less time to execute. Although
condition block looks big, the actual parsing without regex is much faster.
10000 runs of testAntiPattern took 0.75 second, each iteration is 75 micro
seconds. I could not repeat the same test for patch 9.
> Kerberos name implementation in Hadoop does not accept principals with more
> than two components
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-16214
> URL: https://issues.apache.org/jira/browse/HADOOP-16214
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: Issac Buenrostro
> Priority: Major
> Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch,
> HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch,
> HADOOP-16214.006.patch, HADOOP-16214.007.patch, HADOOP-16214.008.patch,
> HADOOP-16214.009.patch, HADOOP-16214.010.patch, HADOOP-16214.011.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of
> converting a Kerberos principal to a user name in Hadoop for all of the
> services requiring authentication.
> Although the Kerberos spec
> ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html])
> allows for an arbitrary number of components in the principal, the Hadoop
> implementation will throw a "Malformed Kerberos name:" error if the principal
> has more than two components (because the regex can only read serviceName and
> hostName).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
