You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/12/14 12:23:00 UTC

[jira] [Commented] (HADOOP-18573) Improve error reporting on non-standard kerberos names

    [ https://issues.apache.org/jira/browse/HADOOP-18573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17647070#comment-17647070 ] 

ASF GitHub Bot commented on HADOOP-18573:
-----------------------------------------

steveloughran opened a new pull request, #5221:
URL: https://github.com/apache/hadoop/pull/5221

   The kerberos RPC does not declare any restriction on characters used in kerberos names, though implementations MAY be more restrictive.
   
   If the kerberos controller supports use non-conventional principal names *and the kerberos admin chooses to use them* this can confuse some of the parsing.
   
   The obvious solution is for the enterprise admins to "not do that" as a lot of things break, bits of hadoop included.
   
   Harden the hadoop code slightly so at least we fail more gracefully, so people can then get in touch with their sysadmin and tell them to stop it.
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, `NOTICE-binary` files?
   
   




> Improve error reporting on non-standard kerberos names
> ------------------------------------------------------
>
>                 Key: HADOOP-18573
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18573
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.3.4
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>
> The kerberos RFC does not declare any restriction on
> characters used in kerberos names, though
> implementations MAY be more restrictive.
> If the kerberos controller supports use non-conventional
> user names *and the kerberos admin chooses to use them*
> this can confuse some of the parsing.
> The obvious solution is for the enterprise admins to "not do that"
> as a lot of things break, bits of hadoop included.
> Harden the hadoop code slightly so at least we fail more gracefully,
> so people can then get in touch with their sysadmin and tell them
> to stop it.
> Note: given the kerberos admin is implicitly a superuser being able to 
> doesn't give them any privileges, just offers a different way
> to stop the cluster working.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org