hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "fang fang chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9679) KerberosName.rules are not initialized during adding kerberos support to a web servlet using hadoop authentications
Date Wed, 03 Jul 2013 05:58:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13698641#comment-13698641
] 

fang fang chen commented on HADOOP-9679:
----------------------------------------

Thanks Alejandro. Actually, I have overwritten getConfiguration(String configPrefix, FilterConfig
filterConfig), and am trying to testing whether these properties can be passed to KerberosAuthenticationHandler.authenticate(..
, ..) part.

OK, for the usage inside hadoop, I agree this is not a bug. Because we always assume user
should have done UGI 'ensureInitialized()' before invoke KerberosName and if user did not
set this property, hadoop will use "DEFAULT" as default value. So this is not an init thing
for the design inside hadoop, and I think it reasonable to provide a default value if user
did not set it. 

Then for the usage outside hadoop, this is an init thing. As user need to set kerberos.name.rules
before using hadoop-auth to add kerberos support to a web servlet. If things is like this,
then I think at least it's better to remind user to set this property if user did not than
just print out a "NullPointerException". 

Actually, both are OK for me to add this property at web servlet side or hadoop-auth provide
a dafult value in hadoop side. I just want to make this usage of hadoop-auth to be more smarter
and simple.

Again, as I mentioned in my previous comment. I think the usage of hadoop kerberos authentication
can be expanded. At least, maybe we can provide user a document to show that how to add kerberos
support via hadoop-auth classes. 
                
> KerberosName.rules are not initialized during adding kerberos support to a web servlet
using hadoop authentications
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9679
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9679
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.1.1, 2.0.4-alpha
>            Reporter: fang fang chen
>             Fix For: 2.1.0-beta
>
>         Attachments: HADOOP-9679.patch
>
>
> I am using hadoop-1.1.1 to add kerberos authentication to a web service. But found rules
are not initialized, that makes following error happened:
> java.lang.NullPointerException
>         at org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
>         at java.security.AccessController.doPrivileged(AccessController.java:310)
>         at javax.security.auth.Subject.doAs(Subject.java:573)
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
>         at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)
> Seems in hadoop-2.0.4-alpha branch, this issue still is still there. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message