You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by "Rick Kellogg (JIRA)" <ji...@apache.org> on 2015/10/05 04:01:27 UTC
[jira] [Updated] (STORM-427) (Security) AutoTGT with HBase can
expose JVM kerberos issue
[ https://issues.apache.org/jira/browse/STORM-427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Kellogg updated STORM-427:
-------------------------------
Component/s: storm-hbase
> (Security) AutoTGT with HBase can expose JVM kerberos issue
> -----------------------------------------------------------
>
> Key: STORM-427
> URL: https://issues.apache.org/jira/browse/STORM-427
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-hbase
> Affects Versions: 0.10.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Labels: security
> Fix For: 0.10.0
>
>
> The oracle JVM with in all versions I have looked at has a bug where it is possible for the JVM to use a service ticket instead of a TGT when requesting a service ticket from the KDC.
> The way the JVM code works right now is that when it looks for the TGT to use to connect to the KDC it will iterate over the all of the KerberosTickets in the private credentials, but it will pull out and use the first ticket that is for the current client. The private credentials set is actually backed by a linked list, so the order they are scanned is insertion order. Because a TGT is going to be inserted before any service tickets in the common case all is fine, the issue only shows up when we insert in a new TGT after other still valid service tickets.
> This also only shows up when you are talking to more then one service, like we do with hbase. If it were talking to just one service then the java code would reuse the valid service ticket instead of trying to get a new service ticket. I'll put up a pull request shortly.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)