[ https://issues.apache.org/jira/browse/ZOOKEEPER-2433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15312604#comment-15312604 ]
Andy B edited comment on ZOOKEEPER-2433 at 6/2/16 4:35 PM: ----------------------------------------------------------- Yes, it's exactly the same issue. Both patches aim to allow the use of UPNs. *HADOOP-10183* - _SaslRpc[Client|Server]_: explicitly checks that the KerberosName is in SPN format and throws an exception if it's not the case. - Patch: check is removed on client and server side, regex distinguishes between SPN and UPN and sets the hostname to _InetAddress.getLocalHost().getCanonicalHostName()_ for the latter *ZOOKEEPER-2433* - _ZooKeeperSaslServer_: parsing fails due to the missing host/machine name in the SPN - Patch: primitively distinguishes between SPN and UPN and sets the hostname to null for the latter was (Author: andy_b): Yes, it's exactly the same issue. Both patches aim to allow the use of UPNs. *HADOOP-10183* - _SaslRpc[Client|Server]_: explicitly checks that the KerberosName is in SPN format and throws an exception if it's not the case. - Patch: check is removed on client and server side, regex distinguishes between SPN and UPN and sets the hostname to InetAddress.getLocalHost().getCanonicalHostName() for the latter *ZOOKEEPER-2433* - _ZooKeeperSaslServer_: parsing fails due to the missing host/machine name in the SPN - Patch: primitively distinguishes between SPN and UPN and sets the hostname to null for the latter > ZooKeeperSaslServer: allow user principals in subject > ----------------------------------------------------- > > Key: ZOOKEEPER-2433 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2433 > Project: ZooKeeper > Issue Type: Improvement > Components: security > Affects Versions: 3.5.1 > Reporter: Andy B > Assignee: Andy B > Labels: easyfix > Fix For: 3.5.2, 3.6.0 > > Attachments: ZOOKEEPER-2433.patch > > Original Estimate: 5h > Remaining Estimate: 5h > > The _createSaslServer_ function in ZooKeeperSaslServer +handles only service > principal names+ (eg. *service_name/{color:blue}machine_name{color}@realm*), > though sometimes user/service principal names +without host name+ (eg. > *service_name@realm*) are used for authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)