hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10771) Refactor HTTP delegation support out of httpfs to common
Date Thu, 07 Aug 2014 22:55:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14089991#comment-14089991
] 

Daryn Sharp commented on HADOOP-10771:
--------------------------------------

I appreciate the effort to modernize the authentication filter.  Unfortunately, this is just
too much and makes my head swim.   My final words before I bow out due to time constraints:

The ugi is completely mismanaged and doesn't work with proxy users.  The auth cookies are
an insecure equivalent of kerberos.  If you steal my service ticket, it's worthless.  If you
steal my cookie, you can request as many tokens as you want.  The extra overhead of using
OPTIONS calls is unnecessary.

The client is throwing AuthenticationExceptions to itself?  The server is throwing AuthenticationExceptions
when the problem is not authentication related.

The coupling of the authenticators makes it hard to trace the logic flows.  It would be much
cleaner to have a distinct filter chain of auth providers.

There don't appear to be enough negative test cases to prove you can't break through.

Anyway, -1 to this coming anywhere near the NN/webhdfs.  Otherwise I'll defer to those that
wish to use it for other components.

> Refactor HTTP delegation support out of httpfs to common
> --------------------------------------------------------
>
>                 Key: HADOOP-10771
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10771
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: COMBO.patch, COMBO.patch, HADOOP-10771.patch, HADOOP-10771.patch,
HADOOP-10771.patch, HADOOP-10771.patch, HADOOP-10771.sh
>
>
> HttpFS implements delegation token support in {{AuthenticationFilter}} & {{AuthenticationHandler}}
subclasses.
> For HADOOP-10770 we need similar functionality for KMS.
> Not to duplicate code, we should refactor existing code to common.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message