[ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16827192#comment-16827192 ]
Eric Yang edited comment on HADOOP-16214 at 4/26/19 6:41 PM: ------------------------------------------------------------- [~ibuenros] {quote}Is it the case that adding more components to the principal will prevent host specific principals to verify matching host?{quote} Yes, this is the behavior of my patches and conforming to RFC1510 NT-SRV-XHST pattern. Where Daryn's patch will exact hostname from component 2, if the principal has more components, this allows the principal <user>/<role1>/<role2>/<role3>/<role4>@<realm> to act as service principal. Microsoft has recently added more format to [AD supported service principal name format|https://docs.microsoft.com/en-us/windows/desktop/ad/name-formats-for-unique-spns#replicable-services]. Daryn's patch is not entirely accurate, but can work in most happy path. {quote}Just to clarify, what do you mean by "more than 2 components don't become service principal"?{quote} In my version, <service>/<host>@<realm> is service principal. <service>/<host>/<role>@<realm> does not become service principal. This is because FreeIPA and classic Kerberos don't consider those as service principals. was (Author: eyang): [~ibuenros] {quote}Is it the case that adding more components to the principal will prevent host specific principals to verify matching host?{quote} Yes, this is the behavior of my patches and conforming to RFC1510 NT-SRV-XHST pattern. Where Daryn's patch will exact hostname from component 2, if the principal has more components, this allows the principal <user>/<role1>/<role2>/<role3>/<role4>@<realm> to act as service principal. Microsoft has recently added more format to [AD supported service principal name format|https://docs.microsoft.com/en-us/windows/desktop/ad/name-formats-for-unique-spns#replicable-services]. Daryn's patch is not entirely accurate, but can work in most happy path. > Kerberos name implementation in Hadoop does not accept principals with more > than two components > ----------------------------------------------------------------------------------------------- > > Key: HADOOP-16214 > URL: https://issues.apache.org/jira/browse/HADOOP-16214 > Project: Hadoop Common > Issue Type: Bug > Components: auth > Reporter: Issac Buenrostro > Priority: Major > Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch, > HADOOP-16214.002.patch, HADOOP-16214.003.patch, HADOOP-16214.004.patch, > HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch, > HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch, > HADOOP-16214.011.patch > > > org.apache.hadoop.security.authentication.util.KerberosName is in charge of > converting a Kerberos principal to a user name in Hadoop for all of the > services requiring authentication. > Although the Kerberos spec > ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) > allows for an arbitrary number of components in the principal, the Hadoop > implementation will throw a "Malformed Kerberos name:" error if the principal > has more than two components (because the regex can only read serviceName and > hostName). -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org