[ https://issues.apache.org/jira/browse/HADOOP-15440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17065117#comment-17065117 ]
Eric Yang commented on HADOOP-15440: ------------------------------------ [~hexiaoqiao] {quote}it could be checked in the following statement for this case IIUC.{quote} In the patch, it has this regex pattern: {code}String[] components = principalConfig.split("[/@]");{code} This allows test/_HOST/test to work as service principal, which is not allowed by [RFC4120|https://www.ietf.org/rfc/rfc4120.txt] description. Java JDK code will accept [principal name without realm|https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java#L119], and add default realm, if realm information is missing. This allows the validation to pass through for test/_HOST/test principal as service principal, which does not restrictedly follow KRB_NT_SRV_XHST specification. This principal is a valid Kerberos principal, but it is not a valid service principal. Is this reasoning more clear? {quote}It is true that using `hadoop.security.dns.interface` is more accurate. Actually this logic is implement completely in `SecurityUtil` but when I want to import `hadoop-common` to sub-module `hadoop-auth` it throws cyclic reference exception. So my question is if we need add same logic at sub-module `hadoop-auth` or some other solutions? Sorry I am not very familiar with this module. Thanks again.{quote} I'd encounter similar inconvenience with Hadoop project structure that prevent code sharing between Hadoop-common and Hadoop-auth. There might need duplication of the involved code pieces in hadoop-auth module to prevent security bugs. It is unfortunate that the code used to live in the same hadoop common code base in Hadoop 0.20.x code base, then maven project restructuring screw things up. We live with debris of over refactored projects. I think it will be ok to bring some logic from hadoop-common to hadoop-auth for this issue. Hadoop-common + hadoop-auth module merge should be treated as separate issue. > Support kerberos principal name pattern for KerberosAuthenticationHandler > ------------------------------------------------------------------------- > > Key: HADOOP-15440 > URL: https://issues.apache.org/jira/browse/HADOOP-15440 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Reporter: Xiaoqiao He > Assignee: Xiaoqiao He > Priority: Major > Attachments: HADOOP-15440-trunk.001.patch, HADOOP-15440.002.patch > > > When setup HttpFS server or KMS server in security mode, we have to config > kerberos principal for these service, it doesn't support to convert Kerberos > principal name pattern to valid Kerberos principal names whereas > NameNode/DataNode and many other service can do that, so it makes confused > for users. so I propose to replace hostname pattern with hostname, which > should be fully-qualified domain name. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org