Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D661E9281 for ; Fri, 1 Jun 2012 20:44:24 +0000 (UTC) Received: (qmail 75082 invoked by uid 500); 1 Jun 2012 20:44:23 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 74986 invoked by uid 500); 1 Jun 2012 20:44:23 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 74706 invoked by uid 99); 1 Jun 2012 20:44:23 -0000 Received: from issues-vm.apache.org (HELO issues-vm) (140.211.11.160) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jun 2012 20:44:23 +0000 Received: from isssues-vm.apache.org (localhost [127.0.0.1]) by issues-vm (Postfix) with ESMTP id 4141C141663 for ; Fri, 1 Jun 2012 20:44:23 +0000 (UTC) Date: Fri, 1 Jun 2012 20:44:23 +0000 (UTC) From: "Alejandro Abdelnur (JIRA)" To: common-issues@hadoop.apache.org Message-ID: <2028077315.28176.1338583463269.JavaMail.jiratomcat@issues-vm> In-Reply-To: <1513140608.28156.1338583223317.JavaMail.jiratomcat@issues-vm> Subject: [jira] [Commented] (HADOOP-8465) hadoop-auth should support ephemeral authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-8465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13287653#comment-13287653 ] Alejandro Abdelnur commented on HADOOP-8465: -------------------------------------------- This can be addressed by allowing an AuthenticationHandler to set the expiration of the authentication token to ZERO (note that only ZERO would be supported, the AuthenticationHandler cannot change to an arbitrary expiration interval). When the expiration is set to ZERO, the AuthenticationFilter would let the request continue to the target resource but it will not issue an HTTP Cookie. This means that subsequent requests will be forced through the AuthenticationHandler. This will work with webhdfs delegation tokens where the delegationtoken must be part of the querystring of the request. > hadoop-auth should support ephemeral authentication > --------------------------------------------------- > > Key: HADOOP-8465 > URL: https://issues.apache.org/jira/browse/HADOOP-8465 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Affects Versions: 2.0.1-alpha > Reporter: Alejandro Abdelnur > Assignee: Alejandro Abdelnur > Fix For: 2.0.1-alpha > > > Currently, once a client is authenticated the generated authentication-token (& cookie) are valid for a given (service configurable) lifespan. > Once the authentication-token (& cookie) is issued, the authentication logic will not be triggered until the authentication-token expires. > This behavior does not work well with delegation tokens expected behavior where delegation tokens can be canceled at any time. > Having ephemeral authentication (which is check on every request) would address this issue. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira