You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Alexander Kolbasov (JIRA)" <ji...@apache.org> on 2017/04/29 22:16:04 UTC
[jira] [Created] (SENTRY-1737) SentryTransportFactory may use
incorrect kerberos principal
Alexander Kolbasov created SENTRY-1737:
------------------------------------------
Summary: SentryTransportFactory may use incorrect kerberos principal
Key: SENTRY-1737
URL: https://issues.apache.org/jira/browse/SENTRY-1737
Project: Sentry
Issue Type: Sub-task
Components: Sentry
Affects Versions: sentry-ha-redesign
Reporter: Alexander Kolbasov
Fix For: sentry-ha-redesign
The new {{SentryTransportFactory}} introduced in SENTRY-1593 has the following code in {{createTransport()}}:
{code}
String serverPrincipal = transportConfig.getSentryPrincipal(conf);
serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
if (serverPrincipalParts == null) {
serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
Preconditions.checkArgument(serverPrincipalParts.length == 3,
"Kerberos principal should have 3 parts: " + serverPrincipal);
}
{code}
So it caches serverPrincipalParts at the instance level. But the same instance can be used to create transports for mutiple destinations which will have different server principal, so the following code:
{code}
return new UgiSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(),
serverPrincipalParts[0], serverPrincipalParts[1],
socket, wrapUgi, conf);
{code}
may return a transport with the wrong principal.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)