Description
The new SentryTransportFactory introduced in SENTRY-1593 has the following code in createTransport():
String serverPrincipal = transportConfig.getSentryPrincipal(conf); serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); LOGGER.debug("Using server kerberos principal: " + serverPrincipal); if (serverPrincipalParts == null) { serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); Preconditions.checkArgument(serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal); }
So it caches serverPrincipalParts at the instance level. But the same instance can be used to create transports for mutiple destinations which will have different server principal, so the following code:
return new UgiSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), serverPrincipalParts[0], serverPrincipalParts[1], socket, wrapUgi, conf);
may return a transport with the wrong principal.
Attachments
Issue Links
- is duplicated by
-
SENTRY-1777 Generic clients are not able to connect to sentry server with kerberos enabled.
- Resolved
- relates to
-
SENTRY-1593 Implement client failover for Generic and NN clients
- Resolved
-
SENTRY-1580 Provide pooled client connection model with HA
- Resolved
-
SENTRY-1791 Sentry Clients failover not working with kerberos enabled
- Resolved