Matt Foley created HADOOP-12617:
-----------------------------------
Summary: SPNEGO authentication request to non-default realm gets
default realm name inserted in target server principal
Key: HADOOP-12617
URL: https://issues.apache.org/jira/browse/HADOOP-12617
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.7.1
Environment: Java client talking to two secure clusters in different
Kerberos realms,
or talking to any secure cluster in non-default realm
Reporter: Matt Foley
Assignee: Matt Foley
Note: This is NOT a vulnerability.
In order for a single Java client to communicate with two different secure
clusters in different realms (only one of which can be the "default_realm"),
the client's krb5.conf file must specify both realms, and provide a
\[domain_realm\] section that maps cluster servers' domains to the correct
realms. With other appropriate behaviors (such as using the config from each
cluster to talk to the respective clusters, and a user principal from each
realm to talk to the respective realms), this is sufficient for most Hadoop
ecosystem clients.
But our SPNEGO using clients, such as Oozie, have a bug when it comes to
talking to a non-default realm. The default realm name gets incorrectly
inserted into the construction of the target server principal for the
non-default-realm cluster. Details and proposed solution are given in the
first comments below.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
