hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yongjun Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Sat, 08 Nov 2014 17:01:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14203501#comment-14203501

Yongjun Zhang commented on HADOOP-10895:

Hi [~tucu00],

The concern you raised in your comment #2  is that some code might mess with the default fallback
setting in the KerberosAuthenticator and cause unwanted effect.  I came up an alternative
solution that I think would address this concern without having to do the change described
in my last comment. I just uploaded rev 008, with your comment #1 addressed too.

That is, let KMSClientProvider remember the value of allowFallback specified in the configuration
file as a private boolean member when KMSClientProvider object is constructed, and then refresh
the KerberosAuthenticator's default setting each time before KMSClientProvider object creates
AuthenticatatedURL object.

After all, our intention is that the default setting should be the same as specified in the
configuration file all the time after initialization. What we are adding here is a protection
in case some code accidentally changed the setting.

BTW, as far as I can see, the only production code that has the need for this change is KMSClientProvider,
other similar places are in testing code. I think it's ok for the other places to rely on
setting the default fallback at initialization time without refreshing, which would even help
us to find any culprit code that tries to mess with the default setting after initialization,
if error happens.

Would you please help take a look at rev 008?

Thanks a lot.

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch,
HADOOP-10895.003v1.patch, HADOOP-10895.003v2.patch, HADOOP-10895.003v2improved.patch, HADOOP-10895.004.patch,
HADOOP-10895.005.patch, HADOOP-10895.006.patch, HADOOP-10895.007.patch, HADOOP-10895.008.patch
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.

This message was sent by Atlassian JIRA

View raw message