kudu git commit: KUDU-1897: disable Kerberos replay cache

[da...@apache.org]

Repository: kudu
Updated Branches:
  refs/heads/master f65feff68 -> 45548c90c


KUDU-1897: disable Kerberos replay cache

Change-Id: Ifbce55a0b12682fdf69e7b2c361c6336495db64d
Reviewed-on: http://gerrit.cloudera.org:8080/6254
Reviewed-by: Todd Lipcon <to...@apache.org>
Tested-by: Kudu Jenkins


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/45548c90
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/45548c90
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/45548c90

Branch: refs/heads/master
Commit: 45548c90c788b6e482ceaa12789eaa2789232efc
Parents: f65feff
Author: Dan Burkert <da...@apache.org>
Authored: Thu Mar 2 15:59:30 2017 -0800
Committer: Dan Burkert <da...@apache.org>
Committed: Mon Mar 6 22:45:30 2017 +0000

----------------------------------------------------------------------
 src/kudu/security/init.cc | 6 ++++++
 1 file changed, 6 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/45548c90/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index f235eed..fb27f40 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -464,6 +464,12 @@ Status InitKerberosForServer() {
   setenv("KRB5CCNAME", "MEMORY:kudu", 1);
   setenv("KRB5_KTNAME", FLAGS_keytab_file.c_str(), 1);
 
+  // KUDU-1897: disable the Kerberos replay cache. The KRPC protocol includes a
+  // per-connection server-generated nonce to protect against replay attacks
+  // when authenticating via Kerberos. The replay cache has many performance and
+  // implementation issues.
+  setenv("KRB5RCACHETYPE", "none", 1);
+
   g_kinit_ctx = new KinitContext();
   string principal;
   RETURN_NOT_OK(GetConfiguredPrincipal(&principal));