hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrey Klochkov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8883) Anonymous fallback in KerberosAuthenticator is broken
Date Tue, 29 Oct 2013 02:23:30 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13807596#comment-13807596
] 

Andrey Klochkov commented on HADOOP-8883:
-----------------------------------------

Actually JDK does not allow to read the content of "Authorization" request property so this
fix doesn't change the behavior. 

Here's an extract from OpenJDK 1.7 sources. OpenJDK 1.6 is similar. My experiments with Oracle
JDK7 shows the same behavior (the property is not available to the user). 

{code}
      249     // the following http request headers should NOT have their values
      250     // returned for security reasons.
      251     private static final String[] EXCLUDE_HEADERS = {
      252             "Proxy-Authorization",
      253             "Authorization"
      254     };


     2709     @Override
     2710     public synchronized String getRequestProperty (String key) {
     2711         if (key == null) {
     2712             return null;
     2713         }
     2714 
     2715         // don't return headers containing security sensitive information
     2716         for (int i=0; i < EXCLUDE_HEADERS.length; i++) {
     2717             if (key.equalsIgnoreCase(EXCLUDE_HEADERS[i])) {
     2718                 return null;
     2719             }
     2720         }
{code}

Should this Jira be re-opened or another one created?

> Anonymous fallback in KerberosAuthenticator is broken
> -----------------------------------------------------
>
>                 Key: HADOOP-8883
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8883
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.3-alpha
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>              Labels: security
>             Fix For: 2.0.3-alpha
>
>         Attachments: HADOOP-8883.patch
>
>
> HADOOP-8855 changed KerberosAuthenticator to handle when the JDK did the SPNEGO already;
but this change broke using the fallback authenticator (PseudoAuthenticator) with an anonymous
user (see OOZIE-1010).  



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message