hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yongjun Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Mon, 03 Nov 2014 18:09:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194809#comment-14194809

Yongjun Zhang commented on HADOOP-10895:

HI [~tucu00],

Thanks a lot for your input. The problem is that {{AuthenticatedURL}} creates authenticator
when client code doesn't pass one, 
public AuthenticatedURL(Authenticator authenticator, ConnectionConfigurator connConfigurator)
    try {
      if (authenticator != null) {
        this.authenticator = authenticator;
      } else {
        // use default authenticator
        this.authenticator = DEFAULT_AUTHENTICATOR.newInstance(); <== this is where the
default authenticator is created

we somehow need to let AuthenticatedURL know whether to create an authenticator that allows
fallback or not. Certainly this is relevant only when the authenticator is KerberosAuthenticator.
Since user is allowed to set the default authenticator type, and {{AuthenticatedURL}} doesn't
really care what authenticator type it is creating.

Are you suggesting that we can change AuthenticatedURL to not create authenticator in the
above code, and instead, to retrieve the static version from the corresponding authenticator
class?  I can make this change to {{AuthenticatedURL}}, I wonder whether there is any compatibility
concern of doing so?


> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch,
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.

This message was sent by Atlassian JIRA

View raw message