-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.7.1
-
Fix Version/s: 2.8.0, 3.0.0-alpha1
-
Component/s: security
-
Labels:None
-
Environment:
Java client talking to two secure clusters in different Kerberos realms,
or talking to any secure cluster in non-default realm
-
Target Version/s:
Note: This is NOT a vulnerability.
In order for a single Java client to communicate with two different secure clusters in different realms (only one of which can be the "default_realm"), the client's krb5.conf file must specify both realms, and provide a [domain_realm] section that maps cluster servers' domains to the correct realms. With other appropriate behaviors (such as using the config from each cluster to talk to the respective clusters, and a user principal from each realm to talk to the respective realms), this is sufficient for most Hadoop ecosystem clients.
But our SPNEGO using clients, such as Oozie, have a bug when it comes to talking to a non-default realm. The default realm name gets incorrectly inserted into the construction of the target server principal for the non-default-realm cluster. Details and proposed solution are given in the first comments below.