Return-Path: X-Original-To: apmail-hadoop-common-dev-archive@www.apache.org Delivered-To: apmail-hadoop-common-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2734D107CA for ; Mon, 31 Mar 2014 18:38:39 +0000 (UTC) Received: (qmail 52710 invoked by uid 500); 31 Mar 2014 18:38:24 -0000 Delivered-To: apmail-hadoop-common-dev-archive@hadoop.apache.org Received: (qmail 52483 invoked by uid 500); 31 Mar 2014 18:38:17 -0000 Mailing-List: contact common-dev-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-dev@hadoop.apache.org Received: (qmail 52412 invoked by uid 99); 31 Mar 2014 18:38:15 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 31 Mar 2014 18:38:15 +0000 Date: Mon, 31 Mar 2014 18:38:15 +0000 (UTC) From: "Haohui Mai (JIRA)" To: common-dev@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (HADOOP-10453) Do not use AuthenticatedURL in hadoop core MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Haohui Mai created HADOOP-10453: ----------------------------------- Summary: Do not use AuthenticatedURL in hadoop core Key: HADOOP-10453 URL: https://issues.apache.org/jira/browse/HADOOP-10453 Project: Hadoop Common Issue Type: Bug Reporter: Haohui Mai Priority: Blocker As [~daryn] has suggested in HDFS-4564: {quote} AuthenticatedURL is not used because it is buggy in part to causing replay attacks, double attempts to kerberos authenticate with the fallback authenticator if the TGT is expired, incorrectly uses the fallback authenticator (required by oozie servers) to add the username parameter which webhdfs has already included in the uri. AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK transparently does SPNEGO when the user's Subject (UGI) contains kerberos principals. Since AuthenticatedURL is now not used, webhdfs has to check the TGT itself for token operations. Bottom line is AuthenticatedURL is unnecessary and introduces nothing but problems for webhdfs. It's only useful for oozie's anon/non-anon support. {quote} However, several functionalities that relies on SPNEGO in secure mode suffer from the same problem. For example, NNs / JNs create HTTP connections to exchange fsimage and edit logs. Currently all of them are through {{AuthenticatedURL}}. This needs to be fixed to avoid security vulnerabilities. This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to move it to oozie. -- This message was sent by Atlassian JIRA (v6.2#6252)