hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yongjun Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Sat, 08 Nov 2014 05:12:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14203225#comment-14203225

Yongjun Zhang commented on HADOOP-10895:

Hi [~tucu00],

Many thanks for your comments. Had to work on a critical internal issue for some time, so
sorry for being late here.

About your second comment, I also think it's a good practice for all client code to create
an authenticator with the expected on/off setting and pass it to AuthenticatedURL or DelegationTokenAuthenticatedURL's
constructor. I actually tried to enforce that all client must pass a valid authenticator in
rev004. But to be backward compatible, we moved on to rev007 now.

Currently KMSClientProvider uses constructor {{public DelegationTokenAuthenticatedURL(ConnectionConfigurator
connConfigurator)}} and counts on DelegationTokenAuthenticatedURL to create a default authenticator
of type {{DelegationTokenAuthenticatedURL#DEFAULT_AUTHENTICATOR}}.

To address your comment #2,  we need to create an authenticator in KMSClientProvider. We need
to know what type of authenticator to create. To be backward compatible, it seems we should
continue to use the type  {{DelegationTokenAuthenticatedURL#DEFAULT_AUTHENTICATOR}}, which
is defaulted to {{KerberosDelegationTokenAuthenticator.class}} and is resettable by client

So to address your comment#1, we can replace the following code in KMSClientProvider
public HttpURLConnection run() throws Exception {
     DelegationTokenAuthenticatedURL authUrl =
             new DelegationTokenAuthenticatedURL(configurator);
public HttpURLConnection run() throws Exception {
     Class<? extends DelegationTokenAuthenticator> authType = DelegationTokenAuthenticatedURL.getDefaultDelegationTokenAuthenticator();
     DelegationTokenAuthenticator auth = (authType == KerberosDelegationTokenAuthenticator.class)?

           new KerberosDelegationTokenAuthenticator(allowFallback) : authType.newInstance();
     DelegationTokenAuthenticatedURL authUrl =
           new DelegationTokenAuthenticatedURL(auth, configurator);

Would you please confirm if this is what you are looking for? 

Thanks a lot.

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch,
HADOOP-10895.003v1.patch, HADOOP-10895.003v2.patch, HADOOP-10895.003v2improved.patch, HADOOP-10895.004.patch,
HADOOP-10895.005.patch, HADOOP-10895.006.patch, HADOOP-10895.007.patch
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.

This message was sent by Atlassian JIRA

View raw message