[
https://issues.apache.org/jira/browse/HADOOP-9868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13741375#comment-13741375
]
Kihwal Lee commented on HADOOP-9868:
------------------------------------
bq. Daryn Sharp, I'm a bit puzzled by this HADOOP-9789. While I understand the
reasoning for it, doesn't that weaken security? An impersonator can publish an
alternate principal for which it has a keytab for.
Please note that server advertised principals won't be honored by default.
In order for the scenario you mentioned to happen, the client needs to connect
to the fake service. It means DNS or the server is compromised or something
like man-in-the-middle. If this happens, one can pretend to be a service,
regardless of HADOOP-9789. For client-side exploits, if the client-side is
compromised, a fake server address and a wide open SPN pattern may be placed in
the config to trick the client. But if the system is compromised to this level,
one can trick the client in many different ways anyway.
> Server must not advertise kerberos realm
> ----------------------------------------
>
> Key: HADOOP-9868
> URL: https://issues.apache.org/jira/browse/HADOOP-9868
> Project: Hadoop Common
> Issue Type: Bug
> Components: ipc
> Affects Versions: 3.0.0, 2.1.1-beta
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-9868.patch
>
>
> HADOOP-9789 broke kerberos authentication by making the RPC server advertise
> the kerberos service principal realm. SASL clients and servers do not
> support specifying a realm, so it must be removed from the advertisement.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
