Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12617

SPNEGO authentication request to non-default realm gets default realm name inserted in target server principal


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.1
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: security
    • Labels:
    • Environment:

      Java client talking to two secure clusters in different Kerberos realms,
      or talking to any secure cluster in non-default realm

    • Target Version/s:


      Note: This is NOT a vulnerability.

      In order for a single Java client to communicate with two different secure clusters in different realms (only one of which can be the "default_realm"), the client's krb5.conf file must specify both realms, and provide a [domain_realm] section that maps cluster servers' domains to the correct realms. With other appropriate behaviors (such as using the config from each cluster to talk to the respective clusters, and a user principal from each realm to talk to the respective realms), this is sufficient for most Hadoop ecosystem clients.

      But our SPNEGO using clients, such as Oozie, have a bug when it comes to talking to a non-default realm. The default realm name gets incorrectly inserted into the construction of the target server principal for the non-default-realm cluster. Details and proposed solution are given in the first comments below.


        1. HADOOP-12617.003.patch
          9 kB
          Matt Foley
        2. HADOOP-12617.005.patch
          8 kB
          Matt Foley
        3. HADOOP-12617.006.patch
          8 kB
          Matt Foley
        4. HADOOP-12617.007.patch
          9 kB
          Matt Foley
        5. HADOOP-12617.008.patch
          9 kB
          Matt Foley
        6. HADOOP-12617-branch-2.7.001.patch
          8 kB
          Matt Foley
        7. HADOOP-12617-branch-2.7.003.patch
          8 kB
          Matt Foley



            • Assignee:
              mattf Matt Foley
              mattf Matt Foley
            • Votes:
              0 Vote for this issue
              9 Start watching this issue


              • Created: