You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Alejandro Abdelnur (JIRA)" <ji...@apache.org> on 2012/06/20 19:02:43 UTC
[jira] [Created] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Alejandro Abdelnur created HADOOP-8518:
------------------------------------------
Summary: SPNEGO client side should use KerberosName rules
Key: HADOOP-8518
URL: https://issues.apache.org/jira/browse/HADOOP-8518
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.0.0-alpha
Reporter: Alejandro Abdelnur
Assignee: Alejandro Abdelnur
Fix For: 2.0.1-alpha
currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Rohini Palaniswamy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398929#comment-13398929 ]
Rohini Palaniswamy commented on HADOOP-8518:
--------------------------------------------
Not as a fallback, but as a override. What I had done was to get the canonical name of the host from the URL to connect to and use it to construct the service principal's host part (HTTP/canonicalhostname). If a specific Configuration property was set as to what the FQDN of the service principal should be, then used that instead of constructing the service principal from the url. The override would help if the service prinicipal was in a different realm than the default realm too. You can have a separate specif config parameter to specify the service principal override and use the rule mapping configuration.
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398888#comment-13398888 ]
Daryn Sharp commented on HADOOP-8518:
-------------------------------------
I'm not up to speed on spnego, so could you educate me as to why the client needs to canonicalize the remote host?
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8518:
---------------------------------------
Affects Version/s: 1.0.3
Fix Version/s: 1.1.0
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13402427#comment-13402427 ]
Alejandro Abdelnur commented on HADOOP-8518:
--------------------------------------------
@Daryn, regarding the server sending the hostname in a header, that is not part of the SPNEGO protocol. And it could be a security vulnerability, it would enable a MiM attack. Plus, the client has to dictate what is the server principal as we are enforcing dual authentication.
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Rohini Palaniswamy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398826#comment-13398826 ]
Rohini Palaniswamy commented on HADOOP-8518:
--------------------------------------------
hadoop.security.auth_to_local can be used as for override if required.
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Kihwal Lee (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398901#comment-13398901 ]
Kihwal Lee commented on HADOOP-8518:
------------------------------------
bq. I'm not up to speed on spnego, so could you educate me as to why the client needs to canonicalize the remote host? HADOOP-8043 might offer you some background/hint.
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13399306#comment-13399306 ]
Daryn Sharp commented on HADOOP-8518:
-------------------------------------
Thanks for enlightening me Alejandro. I did not realize SPNEGO is creating a service ticket. Based on a quick read, it seems that CNAMES and proxies are often problematic and usually require an explicit config. Using config options would seem to be problematic/expensive to maintain in multi-grid environments.
Would perhaps a cleaner way be for the server to send a http response header containing it's canonical hostname? If that header is present, the SPNEGO client will use it to construct the server principal?
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403178#comment-13403178 ]
Alejandro Abdelnur commented on HADOOP-8518:
--------------------------------------------
(I'm not an expert either, just know a bit about it :) ) Yes, the MiM attack would require a valid principal/credentials (a keytab). In a large cluster setup, with 1000s machines this would mean that 1 rogue machine could do a MiM.
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403111#comment-13403111 ]
Daryn Sharp commented on HADOOP-8518:
-------------------------------------
I'm by no means a SPNEGO expert, so perhaps this will be educational. Won't the MiM server need to present a valid principal in the KDC for whom it will purport to be? Won't the MiM server be unable to recover the TGT from the service ticket if the server lacks the keytab entry? If true, isn't the system already very compromised?
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Suresh Srinivas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Srinivas reassigned HADOOP-8518:
---------------------------------------
Assignee: Suresh Srinivas (was: Alejandro Abdelnur)
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Suresh Srinivas
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398834#comment-13398834 ]
Alejandro Abdelnur commented on HADOOP-8518:
--------------------------------------------
@Rohini, so does this mean that we should deconstruct the URL, canonize the hostname using InetAddress and recreate the URL before making the connection? And as fallback provide auth_to_local mapping for cases the canonization does not work as expected? thx!!
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398918#comment-13398918 ]
Alejandro Abdelnur commented on HADOOP-8518:
--------------------------------------------
@Daryn, the hadoop-auth SPNEGO client creates a token with HTTP/<HOST> as server principal where <HOST> is the host specifid in the URL. If you are using a hostname alias, then the resolved server principal will be HTTP<HOST-alias>. Then problem is that the KDC will not recognize this principal because it does not exist. This means that the hadoop-auth SPNEGO client should find out what is the real hostname to use as <HOST>. Hope this clarifies.
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Rohini Palaniswamy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398823#comment-13398823 ]
Rohini Palaniswamy commented on HADOOP-8518:
--------------------------------------------
Tucu,
The client should support Server principal canonicalization through DNS. It is one of the standard practices and many clients like curl, Firefox do it.
http://books.google.com/books?id=dGMd-uay-lkC&pg=PT232&lpg=PT232
http://docs.oracle.com/cd/E19253-01/816-4557/planning-25/index.html
Having to configure hadoop.security.auth_to_local for something that is a very common Kerberos practice/standard is not ideal.
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8518) SPNEGO client side should use
KerberosName rules
Posted by "Suresh Srinivas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Srinivas updated HADOOP-8518:
------------------------------------
Fix Version/s: (was: 2.0.2-alpha)
(was: 1.1.0)
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
>
> currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira