Hadoop Common
  1. Hadoop Common
  2. HADOOP-6603

Provide workaround for issue with Kerberos not resolving cross-realm principal

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Java's SSL-Kerberos implementation does not correctly obtain the principal for cross-realm principles when clients initiate connections to servers, resulting in the client being unable to authenticate the server. We need a work-around until this bug gets fixed.

      1. fix_comment_y20.patch
        0.8 kB
        Jakob Homan
      2. HADOOP-6603.1.patch
        6 kB
        Jitendra Nath Pandey
      3. HADOOP-6603.2.patch
        6 kB
        Jitendra Nath Pandey
      4. HADOOP-6603-Y20S.patch
        2 kB
        Jakob Homan
      5. HADOOP-6603-Y20S-2.patch
        5 kB
        Jakob Homan
      6. HADOOP-6603-Y20S-3.patch
        8 kB
        Jakob Homan
      7. HADOOP-6603-Y20S-4.patch
        8 kB
        Kan Zhang

        Issue Links

          Activity

          Hide
          Jakob Homan added a comment -

          Attaching patch for Y20 distribution. Manually tested; unfortunately a not unit-testable. Patch for trunk shortly. Most of this work is Kan's.

          Show
          Jakob Homan added a comment - Attaching patch for Y20 distribution. Manually tested; unfortunately a not unit-testable. Patch for trunk shortly. Most of this work is Kan's.
          Hide
          Jakob Homan added a comment -

          Updated patch with new file. Forget git add, get sad...

          Show
          Jakob Homan added a comment - Updated patch with new file. Forget git add, get sad...
          Hide
          Jakob Homan added a comment -

          Updated patch with more specific logic and unit test.

          Show
          Jakob Homan added a comment - Updated patch with more specific logic and unit test.
          Hide
          Owen O'Malley added a comment -

          I don't think that the check to make sure the 2 component of the krbtgt is the realm is necessary. Other than that, it looks good.

          Show
          Owen O'Malley added a comment - I don't think that the check to make sure the 2 component of the krbtgt is the realm is necessary. Other than that, it looks good.
          Hide
          Kan Zhang added a comment -

          > I don't think that the check to make sure the 2 component of the krbtgt is the realm is necessary.

          It's needed since we want to use the original TGS ticket issued by the user's original realm, not any intermediate TGS tickets that were cached in the Subject by previous operations. Those intermediate TGS tickets may be issued for realms that are different from the target realm of the current request, which will cause the current get service ticket operation to fail.

          Show
          Kan Zhang added a comment - > I don't think that the check to make sure the 2 component of the krbtgt is the realm is necessary. It's needed since we want to use the original TGS ticket issued by the user's original realm, not any intermediate TGS tickets that were cached in the Subject by previous operations. Those intermediate TGS tickets may be issued for realms that are different from the target realm of the current request, which will cause the current get service ticket operation to fail.
          Hide
          Kan Zhang added a comment -

          +1 on the patch.

          Show
          Kan Zhang added a comment - +1 on the patch.
          Hide
          Owen O'Malley added a comment -

          Shouldn't this be looking for the default realm?

          Something like:

          Config.getInstance().getDefaultRealm()
          

          That seems a lot more understandable than making sure the two components are the same.

          Show
          Owen O'Malley added a comment - Shouldn't this be looking for the default realm? Something like: Config.getInstance().getDefaultRealm() That seems a lot more understandable than making sure the two components are the same.
          Hide
          Kan Zhang added a comment -

          > Shouldn't this be looking for the default realm?
          The default realm may not be the home realm of the current user you want to get a service ticket for.

          Show
          Kan Zhang added a comment - > Shouldn't this be looking for the default realm? The default realm may not be the home realm of the current user you want to get a service ticket for.
          Hide
          Kan Zhang added a comment -

          uploaded a new patch based on Jakob's patch (not for commit to trunk)
          1. Moved SecurityUtil.java from hdfs to core.
          2. Added comments on the possible presence of cross-realm TGT's in the Subject's credential cache.

          Show
          Kan Zhang added a comment - uploaded a new patch based on Jakob's patch (not for commit to trunk) 1. Moved SecurityUtil.java from hdfs to core. 2. Added comments on the possible presence of cross-realm TGT's in the Subject's credential cache.
          Hide
          Owen O'Malley added a comment -

          +1

          Show
          Owen O'Malley added a comment - +1
          Hide
          Jakob Homan added a comment -

          Be more explicit about this lousy method we have to have, but no one should use...

          Show
          Jakob Homan added a comment - Be more explicit about this lousy method we have to have, but no one should use...
          Hide
          Jitendra Nath Pandey added a comment -

          Patch for common trunk uploaded.

          Show
          Jitendra Nath Pandey added a comment - Patch for common trunk uploaded.
          Hide
          Jitendra Nath Pandey added a comment -

          HADOOP-6603.1.patch is submitted for hudson tests.

          Show
          Jitendra Nath Pandey added a comment - HADOOP-6603 .1.patch is submitted for hudson tests.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12446784/HADOOP-6603.1.patch
          against trunk revision 953388.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

          -1 javac. The applied patch generated 1032 javac compiler warnings (more than the trunk's current 1022 warnings).

          +1 findbugs. The patch does not introduce any new Findbugs warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/testReport/
          Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/artifact/trunk/build/test/checkstyle-errors.html
          Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12446784/HADOOP-6603.1.patch against trunk revision 953388. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. -1 javac. The applied patch generated 1032 javac compiler warnings (more than the trunk's current 1022 warnings). +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/577/console This message is automatically generated.
          Hide
          Jitendra Nath Pandey added a comment -

          Fixed a javadoc.

          Show
          Jitendra Nath Pandey added a comment - Fixed a javadoc.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12446806/HADOOP-6603.2.patch
          against trunk revision 953388.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

          -1 javac. The applied patch generated 1032 javac compiler warnings (more than the trunk's current 1022 warnings).

          +1 findbugs. The patch does not introduce any new Findbugs warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/testReport/
          Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/artifact/trunk/build/test/checkstyle-errors.html
          Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12446806/HADOOP-6603.2.patch against trunk revision 953388. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. -1 javac. The applied patch generated 1032 javac compiler warnings (more than the trunk's current 1022 warnings). +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/578/console This message is automatically generated.
          Hide
          Jitendra Nath Pandey added a comment -

          Both javadoc and javac warnings are related to sun.security.krb5.Config
          "warning: sun.security.krb5.Config is Sun proprietary API and may be removed in a future release"

          Show
          Jitendra Nath Pandey added a comment - Both javadoc and javac warnings are related to sun.security.krb5.Config "warning: sun.security.krb5.Config is Sun proprietary API and may be removed in a future release"
          Hide
          Boris Shkolnik added a comment -

          +1

          Show
          Boris Shkolnik added a comment - +1
          Hide
          Jakob Homan added a comment -

          I've committed this. Resolving as fixed.

          Show
          Jakob Homan added a comment - I've committed this. Resolving as fixed.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #295 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/295/)
          HADOOP-6603. Provide workaround for issue with Kerberos not resolving cross-realm principal. Contributed by Kan Zhang and Jitendra Pandey.

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #295 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/295/ ) HADOOP-6603 . Provide workaround for issue with Kerberos not resolving cross-realm principal. Contributed by Kan Zhang and Jitendra Pandey.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk #363 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/363/)
          HADOOP-6603. Provide workaround for issue with Kerberos not resolving cross-realm principal. Contributed by Kan Zhang and Jitendra Pandey.

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk #363 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/363/ ) HADOOP-6603 . Provide workaround for issue with Kerberos not resolving cross-realm principal. Contributed by Kan Zhang and Jitendra Pandey.

            People

            • Assignee:
              Jitendra Nath Pandey
              Reporter:
              Jakob Homan
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development