From 0272de79289b465965731ba49f744c447f4c7718 Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad Date: Fri, 3 Aug 2018 00:48:14 +1000 Subject: [PATCH] [Kerberos] Use canonical host name The Apache Http components support for Spnego scheme uses canonical name by default. Also when resolving host name, on centos by default there are other aliases so adding them to the DelegationPermission. Closes#32498 --- x-pack/qa/kerberos-tests/build.gradle | 2 +- .../security/authc/kerberos/KerberosAuthenticationIT.java | 2 +- .../kerberos-tests/src/test/resources/plugin-security.policy | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/x-pack/qa/kerberos-tests/build.gradle b/x-pack/qa/kerberos-tests/build.gradle index 7138b93051226..59667d9ee7809 100644 --- a/x-pack/qa/kerberos-tests/build.gradle +++ b/x-pack/qa/kerberos-tests/build.gradle @@ -41,7 +41,7 @@ Object httpPrincipal = new Object() { @Override String toString() { InetAddress resolvedAddress = InetAddress.getByName('127.0.0.1') - return "HTTP/" + resolvedAddress.getHostName() + return "HTTP/" + resolvedAddress.getCanonicalHostName() } } diff --git a/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java b/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java index ed9f4fbe38d5a..b6ebfde20799f 100644 --- a/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java +++ b/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java @@ -112,7 +112,7 @@ public void testSoDoesNotFailWithNoTests() { protected HttpHost buildHttpHost(String host, int port) { try { InetAddress inetAddress = InetAddress.getByName(host); - return super.buildHttpHost(inetAddress.getHostName(), port); + return super.buildHttpHost(inetAddress.getCanonicalHostName(), port); } catch (UnknownHostException e) { assumeNoException("failed to resolve host [" + host + "]", e); } diff --git a/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy b/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy index fb7936bf62093..84219494bf2ce 100644 --- a/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy +++ b/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy @@ -1,4 +1,7 @@ grant { permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; + permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost.localdomain@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; + permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost4@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; + permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost4.localdomain4@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; }; \ No newline at end of file