hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bowen Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
Date Mon, 10 Feb 2014 18:32:26 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13896823#comment-13896823
] 

Bowen Zhang commented on HADOOP-10078:
--------------------------------------

After HADOOP-10078, oozie kill/suspend and proxyUser service throw "user[?] null" error under
non-secure environment while not using auth-token file. The root cause is that Kerberos Authenticator
fails to fall back to PseudoAuthenticator to set the token for user, therefore the server
side code doesn't know who the user is.

> KerberosAuthenticator always does SPNEGO
> ----------------------------------------
>
>                 Key: HADOOP-10078
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10078
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.3-alpha
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Minor
>             Fix For: 2.3.0
>
>         Attachments: HADOOP-10078.patch
>
>
> HADOOP-8883 made this change to {{KerberosAuthenticator}}
> {code:java}
> @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator {
>        conn.setRequestMethod(AUTH_HTTP_METHOD);
>        conn.connect();
>        
> -      if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
> +      if (conn.getRequestProperty(AUTHORIZATION) != null && conn.getResponseCode()
== HttpURLConnection.HTTP_OK) {
>          LOG.debug("JDK performed authentication on our behalf.");
>          // If the JDK already did the SPNEGO back-and-forth for
>          // us, just pull out the token.
> {code}
> to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this inadvertently
made the if statement always false because it turns out that the JDK excludes some headers,
including the "Authorization" one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
 This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url,
token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in
the first place.
> In any case, I tried removing the "Authorization" check and Oozie still works with and
without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side
effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message