HADOOP-13565. KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request. Contributed by Xiaoyu Yao.

(cherry picked from commit 9097e2efe4)
2016-10-13 10:52:13 -07:00 · 2016-10-13 10:52:13 -07:00 · 874402a295
parent b60e545a08
commit 874402a295
1 changed files with 1 additions and 6 deletions
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
@ -343,8 +343,6 @@ public AuthenticationToken authenticate(HttpServletRequest request, final HttpSe
      authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
      final Base64 base64 = new Base64(0);
      final byte[] clientToken = base64.decode(authorization);
-      final String serverName = InetAddress.getByName(request.getServerName())
-                                           .getCanonicalHostName();
      try {
        token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() {

@ -354,10 +352,7 @@ public AuthenticationToken run() throws Exception {
            GSSContext gssContext = null;
            GSSCredential gssCreds = null;
            try {
-              gssCreds = gssManager.createCredential(
-                  gssManager.createName(
-                      KerberosUtil.getServicePrincipal("HTTP", serverName),
-                      KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")),
+              gssCreds = gssManager.createCredential(null,
                  GSSCredential.INDEFINITE_LIFETIME,
                  new Oid[]{
                    KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"),