hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-10453) Do not use AuthenticatedURL in hadoop core
Date Mon, 31 Mar 2014 18:38:15 GMT
Haohui Mai created HADOOP-10453:

             Summary: Do not use AuthenticatedURL in hadoop core
                 Key: HADOOP-10453
                 URL: https://issues.apache.org/jira/browse/HADOOP-10453
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Haohui Mai
            Priority: Blocker

As [~daryn] has suggested in HDFS-4564:

AuthenticatedURL is not used because it is buggy in part to causing replay attacks, double
attempts to kerberos authenticate with the fallback authenticator if the TGT is expired, incorrectly
uses the fallback authenticator (required by oozie servers) to add the username parameter
which webhdfs has already included in the uri.

AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK transparently does
SPNEGO when the user's Subject (UGI) contains kerberos principals. Since AuthenticatedURL
is now not used, webhdfs has to check the TGT itself for token operations.
Bottom line is AuthenticatedURL is unnecessary and introduces nothing but problems for webhdfs.
It's only useful for oozie's anon/non-anon support.

However, several functionalities that relies on SPNEGO in secure mode suffer from the same
problem. For example, NNs / JNs create HTTP connections to exchange fsimage and edit logs.
Currently all of them are through {{AuthenticatedURL}}. This needs to be fixed to avoid security

This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to move it to oozie.

This message was sent by Atlassian JIRA

View raw message