Bug 1107613
Summary: | SASL GSSAPI auth doesn't use principal configured login_module | |||
---|---|---|---|---|
Product: | [JBoss] JBoss Data Grid 6 | Reporter: | Vojtech Juranek <vjuranek> | |
Component: | JGroups | Assignee: | Tristan Tarrant <ttarrant> | |
Status: | NEW --- | QA Contact: | Martin Gencur <mgencur> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.3.0 | CC: | bban, chuffman, pslavice, vjuranek | |
Target Milestone: | --- | |||
Target Release: | 6.3.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Known Issue | ||
Doc Text: |
In Red Hat JBoss Data Grid, the server principal is always constructed as <literal>jgroups/server_name</literal> and is not loaded from the Kerberos login module. Using a different principal results in an authentication failure.
This is a known issue in JBoss Data Grid 6.4 and the workaround for this issue is to use <literal>jgroups/server_name</literal> as the server principal.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1116311 (view as bug list) | Environment: | ||
Last Closed: | Type: | Bug | ||
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1116311 |
Description
Vojtech Juranek
2014-06-10 11:04:07 UTC
Making this a blocker for JDG 6.3.GA OK. Looks like this is not a blocker, according to Vojtech. But the configuration is not very intuitive. Could you please comment, Vojta? When using EAP kerberos login module, the principal is configured there, e.g. <login-module code="Kerberos" flag="required"> .... <module-option name="principal" value="jgroups/node0/clustered"/> .... </login-module> One would expect, that this is sufficient. However, this principal name is not used and principal for joining node is constructed as "jgroups/server_name", so if I configure server_name to "node0" (which is expected), authentication fails. To make it working, one have to configure server_name to "node0/clustered": <SASL mech="GSSAPI" server_name="node0/clustered" .... /> IMHO this is very confusing, especially when we use for sever mode principal in form jgroups/server_fqdn/cache_conatiner_name. Hi folks, Created a cloned docs bug to track this for docs, but I need some information about what exactly we want documented for this bug. We should mention, that server principal is always constructed as "jgroups/server_name", therefore server principal in kerberos has to be also "jgroups/server_name" (if in kerberos is e.g. "jgroups/node1/mycache", than server name has to be "node1/mycache") Thanks, Vojta. Copied comment to Bug 1116311 for docs. Setting needs_docs flag to + to indicate a docs bug has been created to deal with this issue. |