Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-427

(Security) AutoTGT with HBase can expose JVM kerberos issue



    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.10.0
    • Fix Version/s: 0.10.0
    • Component/s: storm-hbase
    • Labels:


      The oracle JVM with in all versions I have looked at has a bug where it is possible for the JVM to use a service ticket instead of a TGT when requesting a service ticket from the KDC.

      The way the JVM code works right now is that when it looks for the TGT to use to connect to the KDC it will iterate over the all of the KerberosTickets in the private credentials, but it will pull out and use the first ticket that is for the current client. The private credentials set is actually backed by a linked list, so the order they are scanned is insertion order. Because a TGT is going to be inserted before any service tickets in the common case all is fine, the issue only shows up when we insert in a new TGT after other still valid service tickets.

      This also only shows up when you are talking to more then one service, like we do with hbase. If it were talking to just one service then the java code would reuse the valid service ticket instead of trying to get a new service ticket. I'll put up a pull request shortly.




            • Assignee:
              revans2 Robert Joseph Evans
              revans2 Robert Joseph Evans
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: