[ZOOKEEPER-3156] ZOOKEEPER-2184 causes kerberos principal to not have resolved host name - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.6.0, 3.4.13, 3.5.5
Fix Version/s: 3.6.0, 3.5.5, 3.4.14
Component/s: java client
Labels:
- pull-request-available

Description

Prior to ~~ZOOKEEPER-2184~~ the zookeeper client would canonicalize a configured host name before creating the SASL client which is used to create the principal name. After ~~ZOOKEEPER-2184~~ that canonicalization does not happen so the principal that the ZK client tries to use when it is configured to talk to a CName is different between 3.4.13 and all previous versions of ZK.

For example

zk1.mycluster.mycompany.com maps to real-node.mycompany.com.

3.4.13 will want the server to have zookeeper/zk1.mycluster.com@KDC.MYCOMPANY.COM

3.4.12 wants the server to have zookeeper/real-node.mycompany.com@KDC.MYCOMPANY.COM

This makes 3.4.13 incompatible with many ZK setups currently in existence. It would be nice to have that resolution be optional because in some cases it might be nice to have a single principal tied to the cname.

Attachments

Issue Links

links to

GitHub Pull Request #648

GitHub Pull Request #652

Activity

People

Assignee:: Robert Joseph Evans

Reporter:: Robert Joseph Evans

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 26/Sep/18 17:20

Updated:: 04/Oct/19 14:55

Resolved:: 05/Nov/18 18:42

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

12h 20m