Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2121

Java Client chooses GSSAPI SASL mechanism when Kerberos credentials are not present

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.4.0
    • 1.7.0
    • java, security
    • None

    Description

      I've found an interesting difference in behavior between macos/Oracle JDK 8.0_144 and Centos 7/OpenJDK 8.0_121 in the Sasl mechanism choosing code. On macos, it will not choose GSSAPI if Kerberos credentials aren't present, because Sasl.createSaslClient will throw a SaslException. On Centos 7 with OpenJDK, GSSAPI will be chosen, and the negotiation will fail during the first call to saslClient.evaluateChallenge (again, with a SaslException). I haven't gotten to the bottom of the difference in behavior, and whether the platform, JDK version, or both is involved.

      Practically, the only effect this has is that unauthenticated clients on the Linux/OpenJDK platform will be unable to connect to authentication-optional servers, since the server will present GSSAPI as an option, the client will choose it, and then fail during evalueateChallenge.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            danburkert Dan Burkert
            danburkert Dan Burkert
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment