You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Benoy Antony (JIRA)" <ji...@apache.org> on 2012/05/10 02:46:52 UTC
[jira] [Created] (HADOOP-8381) Substitute _HOST with hostname for
HTTP principals
Benoy Antony created HADOOP-8381:
------------------------------------
Summary: Substitute _HOST with hostname for HTTP principals
Key: HADOOP-8381
URL: https://issues.apache.org/jira/browse/HADOOP-8381
Project: Hadoop Common
Issue Type: Sub-task
Components: security
Affects Versions: 0.22.0
Reporter: Benoy Antony
Assignee: Benoy Antony
Priority: Minor
Fix For: 0.22.1
SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8381) Substitute _HOST with hostname
for HTTP principals
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13272036#comment-13272036 ]
Aaron T. Myers commented on HADOOP-8381:
----------------------------------------
Hi Benoy, I don't think this patch works as intended. I don't think it makes sense to default to using the local hostname if no hostname is provided to SecurityUtil#getServerPrincipal(...).
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HADOOP-8381) Substitute _HOST with hostname for
HTTP principals
Posted by "Konstantin Shvachko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Konstantin Shvachko resolved HADOOP-8381.
-----------------------------------------
Resolution: Fixed
Hadoop Flags: Reviewed
+1
I just committed this to branch 0.22.1. Thank you Benoy.
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch, HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8381) Substitute _HOST with hostname for
HTTP principals
Posted by "Benoy Antony (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benoy Antony updated HADOOP-8381:
---------------------------------
Attachment: HOST-substitution-spnego.patch
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8381) Substitute _HOST with hostname for
HTTP principals
Posted by "Benoy Antony (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benoy Antony updated HADOOP-8381:
---------------------------------
Attachment: HOST-substitution-spnego.patch
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch, HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Work started] (HADOOP-8381) Substitute _HOST with hostname
for HTTP principals
Posted by "Benoy Antony (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on HADOOP-8381 started by Benoy Antony.
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8381) Substitute _HOST with hostname
for HTTP principals
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13289264#comment-13289264 ]
Hudson commented on HADOOP-8381:
--------------------------------
Integrated in Hadoop-Common-22-branch #106 (See [https://builds.apache.org/job/Hadoop-Common-22-branch/106/])
HADOOP-8381. Substitute _HOST with hostname for HTTP principals. Contributed by Benoy Antony. (Revision 1346224)
Result = SUCCESS
shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346224
Files :
* /hadoop/common/branches/branch-0.22/common/CHANGES.txt
* /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
* /hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch, HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8381) Substitute _HOST with hostname
for HTTP principals
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273302#comment-13273302 ]
Daryn Sharp commented on HADOOP-8381:
-------------------------------------
I'm inclined to agree with Aaron. Note this change has rather far reaching effects if you check the call heirarchy.
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8381) Substitute _HOST with hostname
for HTTP principals
Posted by "Benoy Antony (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13276840#comment-13276840 ]
Benoy Antony commented on HADOOP-8381:
--------------------------------------
Thanks for the comments Aaron and Daryn.
The first part of the patch is redundant as replacePattern() has logic which sets fqdn to localhost's fqdn.
I am attaching the new patch which removes this redundant code.
> Substitute _HOST with hostname for HTTP principals
> ----------------------------------------------------
>
> Key: HADOOP-8381
> URL: https://issues.apache.org/jira/browse/HADOOP-8381
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.22.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Priority: Minor
> Fix For: 0.22.1
>
> Attachments: HOST-substitution-spnego.patch, HOST-substitution-spnego.patch
>
>
> SPNEGO based Web Authentication uses HTTP/fqdn@REALM as the kerberos principal for each host.
> Since it is difficult to modify the config for each host, a substitution feature where _HOST gets replaced by fqdn is implemented.
> The task is to provide similar feature for the kerberos principals used for SPNEGO principals
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira