Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2121

Java Client chooses GSSAPI SASL mechanism when Kerberos credentials are not present

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.0
    • Fix Version/s: 1.7.0
    • Component/s: java, security
    • Labels:
      None

      Description

      I've found an interesting difference in behavior between macos/Oracle JDK 8.0_144 and Centos 7/OpenJDK 8.0_121 in the Sasl mechanism choosing code. On macos, it will not choose GSSAPI if Kerberos credentials aren't present, because Sasl.createSaslClient will throw a SaslException. On Centos 7 with OpenJDK, GSSAPI will be chosen, and the negotiation will fail during the first call to saslClient.evaluateChallenge (again, with a SaslException). I haven't gotten to the bottom of the difference in behavior, and whether the platform, JDK version, or both is involved.

      Practically, the only effect this has is that unauthenticated clients on the Linux/OpenJDK platform will be unable to connect to authentication-optional servers, since the server will present GSSAPI as an option, the client will choose it, and then fail during evalueateChallenge.

        Attachments

          Activity

            People

            • Assignee:
              danburkert Dan Burkert
              Reporter:
              danburkert Dan Burkert
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: