Bug 1107613

Summary: SASL GSSAPI auth doesn't use principal configured login_module
Product: [JBoss] JBoss Data Grid 6 Reporter: Vojtech Juranek <vjuranek>
Component: JGroupsAssignee: Tristan Tarrant <ttarrant>
Status: NEW --- QA Contact: Martin Gencur <mgencur>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: bban, chuffman, pslavice, vjuranek
Target Milestone: ---   
Target Release: 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
In Red Hat JBoss Data Grid, the server principal is always constructed as <literal>jgroups/server_name</literal> and is not loaded from the Kerberos login module. Using a different principal results in an authentication failure. This is a known issue in JBoss Data Grid 6.4 and the workaround for this issue is to use <literal>jgroups/server_name</literal> as the server principal.
 Story Points: ---
Clone Of:
: 1116311 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1116311    

Description Vojtech Juranek 2014-06-10 11:04:07 UTC 
Please see https://issues.jboss.org/browse/JGRP-1847
Comment 1 Martin Gencur 2014-06-10 11:10:08 UTC 
Making this a blocker for JDG 6.3.GA
Comment 3 Martin Gencur 2014-06-11 07:10:04 UTC 
OK. Looks like this is not a blocker, according to Vojtech. But the configuration is not very intuitive. Could you please comment, Vojta?
Comment 4 Vojtech Juranek 2014-06-11 07:54:38 UTC 
When using EAP kerberos login module, the principal is configured there, e.g.

<login-module code="Kerberos" flag="required">
        ....
        <module-option name="principal" value="jgroups/node0/clustered"/>
        ....
</login-module>

One would expect, that this is sufficient. However, this principal name is not used and principal for joining node is constructed as "jgroups/server_name", so if I configure server_name to "node0" (which is expected), authentication fails. To make it working, one have to configure server_name to "node0/clustered":

<SASL mech="GSSAPI"
         server_name="node0/clustered"
         .... 
/>

IMHO this is very confusing, especially when we use for sever mode principal in form jgroups/server_fqdn/cache_conatiner_name.
Comment 5 Misha H. Ali 2014-07-04 08:23:26 UTC 
Hi folks,

Created a cloned docs bug to track this for docs, but I need some information about what exactly we want documented for this bug.
Comment 6 Vojtech Juranek 2014-07-04 08:55:00 UTC 
We should mention, that server principal is always constructed as "jgroups/server_name", therefore server principal in kerberos has to be also "jgroups/server_name" (if in kerberos is e.g. "jgroups/node1/mycache", than server name has to be "node1/mycache")
Comment 7 Misha H. Ali 2014-07-06 23:10:00 UTC 
Thanks, Vojta. Copied comment to Bug 1116311 for docs. Setting needs_docs flag to + to indicate a docs bug has been created to deal with this issue.
Comment 8 JBoss JIRA Server 2015-06-23 10:02:13 UTC 
Bela Ban <bela> updated the status of jira JGRP-1847 to Closed