Hadoop Common
  1. Hadoop Common
  2. HADOOP-6907

Rpc client doesn't use the per-connection conf to figure out server's Kerberos principal

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.20.203.0, 0.22.0
    • Component/s: ipc, security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Currently, RPC client caches the conf that was passed in to its constructor and uses that same conf (or values obtained from it) for every connection it sets up. This is not sufficient for security since each connection needs to figure out server's Kerberos principal on a per-connection basis. It's not reasonable to expect the first conf used by a user to contain all the Kerberos principals that her future connections will ever need. Or worse, if her first conf contains an incorrect principal name, it will prevent the user from connecting to the server even if she later on passes in a correct conf on retry (by calling RPC.getProxy()).

      1. c6907-Y20S.1xx.05.patch
        27 kB
        Kan Zhang
      2. c6907-18.patch
        28 kB
        Kan Zhang
      3. c6907-16.patch
        23 kB
        Kan Zhang
      4. c6907-15.patch
        23 kB
        Kan Zhang
      5. c6907-12.patch
        22 kB
        Kan Zhang

        Issue Links

          Activity

          Kan Zhang created issue -
          Kan Zhang made changes -
          Field Original Value New Value
          Description Currently, RPC client caches the conf that was passed in to its constructor and uses that same conf (or values obtained from it) for every connection it sets up. This is not sufficient for security since each connection needs to figure out server's Kerberos principal on a per-connection basis. It's not reasonable to expect the first conf used by a user to contain all the Kerberos principals that her future connections will ever need. Or worse, if her first conf contains an incorrect principal name, it will prevent the user from connecting to the server even if she later on passes in a correct conf on retry (RPC.getProxy()). Currently, RPC client caches the conf that was passed in to its constructor and uses that same conf (or values obtained from it) for every connection it sets up. This is not sufficient for security since each connection needs to figure out server's Kerberos principal on a per-connection basis. It's not reasonable to expect the first conf used by a user to contain all the Kerberos principals that her future connections will ever need. Or worse, if her first conf contains an incorrect principal name, it will prevent the user from connecting to the server even if she later on passes in a correct conf on retry (by calling RPC.getProxy()).
          Kan Zhang made changes -
          Attachment c6907-12.patch [ 12452224 ]
          Kan Zhang made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Jakob Homan made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Kan Zhang made changes -
          Attachment c6907-15.patch [ 12452346 ]
          Kan Zhang made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Kan Zhang made changes -
          Attachment c6907-16.patch [ 12453285 ]
          Kan Zhang made changes -
          Attachment c6907-18.patch [ 12453460 ]
          Giridharan Kesavan made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Giridharan Kesavan made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Giridharan Kesavan made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Giridharan Kesavan made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Giridharan Kesavan made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Giridharan Kesavan made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Hairong Kuang made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Hadoop Flags [Reviewed]
          Fix Version/s 0.22.0 [ 12314296 ]
          Resolution Fixed [ 1 ]
          Kan Zhang made changes -
          Link This issue relates to HADOOP-6938 [ HADOOP-6938 ]
          Kan Zhang made changes -
          Attachment c6907-Y20S.1xx.05.patch [ 12453844 ]
          Suresh Srinivas made changes -
          Link This issue blocks HADOOP-6889 [ HADOOP-6889 ]
          Matt Foley made changes -
          Fix Version/s 0.20.203.0 [ 12316064 ]
          Owen O'Malley made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Gavin made changes -
          Link This issue blocks HADOOP-6889 [ HADOOP-6889 ]
          Gavin made changes -
          Link This issue is depended upon by HADOOP-6889 [ HADOOP-6889 ]

            People

            • Assignee:
              Kan Zhang
              Reporter:
              Kan Zhang
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development