[ https://issues.apache.org/jira/browse/HADOOP-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Foley resolved HADOOP-12617. --------------------------------- Resolution: Fixed Fix Version/s: 2.8.0 > SPNEGO authentication request to non-default realm gets default realm name > inserted in target server principal > -------------------------------------------------------------------------------------------------------------- > > Key: HADOOP-12617 > URL: https://issues.apache.org/jira/browse/HADOOP-12617 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.7.1 > Environment: Java client talking to two secure clusters in different > Kerberos realms, > or talking to any secure cluster in non-default realm > Reporter: Matt Foley > Assignee: Matt Foley > Fix For: 2.8.0 > > Attachments: HADOOP-12617-branch-2.7.001.patch, > HADOOP-12617-branch-2.7.003.patch, HADOOP-12617.003.patch, > HADOOP-12617.005.patch, HADOOP-12617.006.patch, HADOOP-12617.007.patch, > HADOOP-12617.008.patch > > > Note: This is NOT a vulnerability. > In order for a single Java client to communicate with two different secure > clusters in different realms (only one of which can be the "default_realm"), > the client's krb5.conf file must specify both realms, and provide a > \[domain_realm\] section that maps cluster servers' domains to the correct > realms. With other appropriate behaviors (such as using the config from each > cluster to talk to the respective clusters, and a user principal from each > realm to talk to the respective realms), this is sufficient for most Hadoop > ecosystem clients. > But our SPNEGO using clients, such as Oozie, have a bug when it comes to > talking to a non-default realm. The default realm name gets incorrectly > inserted into the construction of the target server principal for the > non-default-realm cluster. Details and proposed solution are given in the > first comments below. -- This message was sent by Atlassian JIRA (v6.3.4#6332)