Hadoop Common
  1. Hadoop Common
  2. HADOOP-10418

SaslRpcClient should not assume that remote principals are in the default_realm

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.4.0
    • Fix Version/s: 2.5.0
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      In SaslRpcClient#getServerPrincipal, when constructing the KerberosPrincipal to compare to the configured value, we just assume that the remote principal is in the default realm configured in /etc/krb5.conf. This will not always be the case, however. Instead, we should use the configured domain_realm mapping to determine the realm of the remote principal.

      1. HADOOP-10418.patch
        0.9 kB
        Aaron T. Myers

        Activity

        Hide
        Aaron T. Myers added a comment -

        Straightforward patch attached to specify the correct name type for this principal, which will cause the JDK Kerberos library to use the domain_realm mapping to determine the correct realm.

        No tests are included because of the difficulty of setting up an appropriate environment in the unit tests. I manually tested this and confirmed that it works as expected.

        Show
        Aaron T. Myers added a comment - Straightforward patch attached to specify the correct name type for this principal, which will cause the JDK Kerberos library to use the domain_realm mapping to determine the correct realm. No tests are included because of the difficulty of setting up an appropriate environment in the unit tests. I manually tested this and confirmed that it works as expected.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12636163/HADOOP-10418.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3693//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3693//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12636163/HADOOP-10418.patch against trunk revision . +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3693//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3693//console This message is automatically generated.
        Hide
        Chris Nauroth added a comment -

        +1 for the patch. Thanks, Aaron!

        Show
        Chris Nauroth added a comment - +1 for the patch. Thanks, Aaron!
        Hide
        Daryn Sharp added a comment -

        +1 Looks ok to me. I assumed kerberos was using the krb5.conf realm mapping since it works in our env.

        Show
        Daryn Sharp added a comment - +1 Looks ok to me. I assumed kerberos was using the krb5.conf realm mapping since it works in our env.
        Hide
        Aaron T. Myers added a comment -

        Thanks a lot for the reviews, gents. I've just committed this to trunk and branch-2.

        Show
        Aaron T. Myers added a comment - Thanks a lot for the reviews, gents. I've just committed this to trunk and branch-2.
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in Hadoop-trunk-Commit #5385 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5385/)
        HADOOP-10418. SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Show
        Hudson added a comment - SUCCESS: Integrated in Hadoop-trunk-Commit #5385 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5385/ ) HADOOP-10418 . SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in Hadoop-Yarn-trunk #519 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/519/)
        HADOOP-10418. SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Show
        Hudson added a comment - SUCCESS: Integrated in Hadoop-Yarn-trunk #519 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/519/ ) HADOOP-10418 . SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in Hadoop-Hdfs-trunk #1711 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1711/)
        HADOOP-10418. SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Show
        Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk #1711 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1711/ ) HADOOP-10418 . SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in Hadoop-Mapreduce-trunk #1736 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1736/)
        HADOOP-10418. SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Show
        Hudson added a comment - SUCCESS: Integrated in Hadoop-Mapreduce-trunk #1736 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1736/ ) HADOOP-10418 . SaslRpcClient should not assume that remote principals are in the default_realm. Contributed by Aaron T. Myers. (atm: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1580666 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
        Hide
        Vinod Kumar Vavilapalli added a comment -

        Closing old tickets that are already shipped in a release.

        Show
        Vinod Kumar Vavilapalli added a comment - Closing old tickets that are already shipped in a release.

          People

          • Assignee:
            Aaron T. Myers
            Reporter:
            Aaron T. Myers
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development