Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12617

SPNEGO authentication request to non-default realm gets default realm name inserted in target server principal



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.7.1
    • 2.8.0, 3.0.0-alpha1
    • security
    • None
    • Java client talking to two secure clusters in different Kerberos realms,
      or talking to any secure cluster in non-default realm


      Note: This is NOT a vulnerability.

      In order for a single Java client to communicate with two different secure clusters in different realms (only one of which can be the "default_realm"), the client's krb5.conf file must specify both realms, and provide a [domain_realm] section that maps cluster servers' domains to the correct realms. With other appropriate behaviors (such as using the config from each cluster to talk to the respective clusters, and a user principal from each realm to talk to the respective realms), this is sufficient for most Hadoop ecosystem clients.

      But our SPNEGO using clients, such as Oozie, have a bug when it comes to talking to a non-default realm. The default realm name gets incorrectly inserted into the construction of the target server principal for the non-default-realm cluster. Details and proposed solution are given in the first comments below.


        1. HADOOP-12617.003.patch
          9 kB
          Matthew Foley
        2. HADOOP-12617.005.patch
          8 kB
          Matthew Foley
        3. HADOOP-12617.006.patch
          8 kB
          Matthew Foley
        4. HADOOP-12617.007.patch
          9 kB
          Matthew Foley
        5. HADOOP-12617.008.patch
          9 kB
          Matthew Foley
        6. HADOOP-12617-branch-2.7.001.patch
          8 kB
          Matthew Foley
        7. HADOOP-12617-branch-2.7.003.patch
          8 kB
          Matthew Foley



            mattf Matthew Foley
            mattf Matthew Foley
            0 Vote for this issue
            9 Start watching this issue