You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Allen Wittenauer (Created) (JIRA)" <ji...@apache.org> on 2012/02/09 04:08:04 UTC
[jira] [Created] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
KerberosAuthenticationFilter and friends have some problems
-----------------------------------------------------------
Key: HADOOP-8043
URL: https://issues.apache.org/jira/browse/HADOOP-8043
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 1.0.0
Reporter: Allen Wittenauer
Priority: Critical
KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
1. Documentation is misleading/wrong.
2. Shared secret stored in a world readable file.
3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205990#comment-13205990 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
The NN & DN seed the HttpServer with the hostname from InetSocketAddress (obtained from config and NetUtils), that hostname should be used for the _HOST resolution. Then things would be autoconf in the same way than the principals for RPC.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205898#comment-13205898 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
BTW, as I mentioned before, if there is another way to intelligently figure out what hostname to present to the user without hard-coding it, I'd truly love to see it. We're about to roll out a modified version of this patch to our internal folks, FWIW.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205716#comment-13205716 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
I'm still of the opinion that you'd have the race condition as you could have the first 2 incoming requests at the same time.
I would not do the host resolution for initialization using the hostname that you get from *request.getServerName()* because this is the exact hostname caller used in the URL and this could be an IP, just the hostname, the hostname + domain, a DNS alias. What we should do is the same that Hadoop is doing to resolve the wildcard '_HOST' if set in the principal.
The later is something that should be addressed in trunk as well.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13206001#comment-13206001 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
I think there is some confusion: I don't intend to create a patch to be committed. I'm only filing jiras with patches so that other people don't have to deal with the issues around getting 1.0 up and running. Given how much various other companies are proud to tout their patch counts, these should be some easy points.
BTW, I also think there is some confusion around how the patch gets the name. See, whatever the user used for incoming that gets converted to an IP address. Given that we can specifically bind the NN and JT to specific address:port combos, the admin has control over what is actually valid. So the name that is going to get used is the reverse lookup of the incoming IP of the address we bound to. So there is zero concern here about getting the wrong principal on those hosts if we assume that DNS is configured correctly. If DNS isn't configured correctly, well... they have bigger issues to deal with.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205092#comment-13205092 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
How is this being done for the UGI keytab used by the DN & TT ?
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Allen Wittenauer updated HADOOP-8043:
-------------------------------------
Attachment: HADOOP-8043-branch-1.0.txt
This patch is based upon my local git tree, so may not apply to yours. But in any case it does the following:
1. Updates the documentation
2. Adds support for signature.secret.file which is used in preference to signature.secret (if both exist)
3. Adds support for _HOST in the principal name
I've only run this on a single test node, with the outstanding issue I've found being the JT not wanting to auth for some reason. I'm not sure if this is a filter issue or a JT issue, however.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13208681#comment-13208681 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
4) Looks like this plug-in doesn't use the auth_to_local rules
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205050#comment-13205050 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
bq. You should set the right principal in the config file.
The problem is that this doesn't scale. I want to be able to push one config set to all hosts.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205901#comment-13205901 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
Regarding 'That assumes ..', not really it assumes the user knows the hostname it must use. Otherwise, on the server side we would have to have/load a TGT for every possible hostname the server is known by (refer to my second paragraph in my prev comment)
Regarding 'if there is another way...', the same way JT/NN/DN/TT do for initializing UGI with the keytab.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205094#comment-13205094 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
I mean, how the principal names are resolved to initialize them from the keytab?
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205130#comment-13205130 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
This patch basically pulls the hostname from the incoming request itself since the only specific information the filter really has is what is stored in the servlet request. It does a forward followed by a reverse to make sure that we get the real, actual DNS FQDN of whatever service is coming in. We pass this information to the security code which does the macro substitution using the information we've gleaned. At this point, we know what the principal we need to init should be.
In the case of services with vips, they only ever bind to one hostname. So the race and different request problem shouldn't be a concern. In the case of services without vips that do actually have multiple IPs, those hosts, to be properly configured in DNS, should reverse resolve to a common name.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Allen Wittenauer resolved HADOOP-8043.
--------------------------------------
Resolution: Won't Fix
I'm opting to build a different filter for in-house usage. There are just too many problems with this one.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13204910#comment-13204910 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
The Hadoop 1.0.0 release was shipped without that change, and that's what myself and others are using.
If you have a better way to get the hostname (which may be a vip, so you can't cheat and just ask for the local hostname!) associated with the service that opened the filter, feel free to supply a better patch.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205536#comment-13205536 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
OK, this is really confusing. It looks like there is a ton of the broken code still in AuthenticationFilter.java . So perhaps HADOOP-7621 for 0.20 is just incomplete.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205893#comment-13205893 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
That assumes that the keytab even contains the other names ....
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205027#comment-13205027 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
Ok, so #2 should be a backport of what is in branch-1.0.
Thanks for explaining why you moved the login-context initialization from the init() to the authenticate() method. The current code does not ask for local hostname to create the principal, it gets it from the config file. You should set the right principal in the config file. In your patch you are doing the initialization only once (if NULL); first you could have race condition here having a double initialization; second if different request may come with different hostnames because of your vip, then your patch won't work.
It would be great if you explain what is the problem in detail as I may be missing something here. Also, the problem would be in trunk as well, so we should fix it there as well.
Thanks and regards.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Allen Wittenauer (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205740#comment-13205740 ]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
bq. this is the exact hostname caller used in the URL and this could be an IP, just the hostname, the hostname + domain, a DNS alias
That's dealt with as part of the forward and reverse lookup chain. The (final) address we get is FQDN as blessed by DNS.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13204898#comment-13204898 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
Regarding #2, i'm a bit confused here, this is already done by in the AuthenticationFilterInitializer, and this is branch-1 already. The code in the filter is generic to integrate in other systems. Also in your patch you are moving the logincontext initialization from the init() to the authenticate() method. This would trigger logincontext initialization every single request, it does not seem correct.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205872#comment-13205872 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
Chatting with Eric Sammer about he raised a very good point from a security standpoint, you don't want to load from a keytab a principal name resolved with a parameter sent by a client.
And, because of how HTTP SPNEGO works (ie in curl), if you use an alias hostname in the URL, and the server was initialized with a principal with another hostname, then the Negotiate header sent by the client will contain as the expected server principal name 'HTTP/<HOSTNAME_IN_URL>@<REALM>'.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and
friends have some problems
Posted by "Alejandro Abdelnur (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205745#comment-13205745 ]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
but that would work only in such setup, right?
I think this should be addressed in the same way Hadoop does it for the JT/NN/TT/DN.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira