hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bowen Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
Date Thu, 20 Mar 2014 18:54:44 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13942127#comment-13942127
] 

Bowen Zhang commented on HADOOP-10398:
--------------------------------------

[~rkanter], 1) in production, what you said is theoretically true. But, we do see customers
share or mount the same directories on flubber. This is also probably why we have this "-Doozie.auth.token.cache"
flag to begin with.
2) No, I don't have this problem when we don't set "-Doozie.auth.token.cache" to false.
The core of the issue is this: when enabling security, to kill a job, there are two ways to
set "user.name" which AuthorizationService.java will use to authorize operation in "public
void authorizeForJob(String user, String jobId, boolean write) throws AuthorizationException".
One is to read the token cahe file, the other is through calling 
"if (!currentToken.isSet()) {
            Authenticator authenticator = getAuthenticator();
            try {
                new AuthenticatedURL(authenticator).openConnection(url, currentToken);
            }
            catch (AuthenticationException ex) {
                AUTH_TOKEN_CACHE_FILE.delete();
                throw new OozieClientException(OozieClientException.AUTHENTICATION,
                                               "Could not authenticate, " + ex.getMessage(),
ex);
            }
        }"
in authoozieclient.java. Due to hadoop-10078, we no longer get "user.name" anymore


> KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-10398
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10398
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Tsz Wo Nicholas Sze
>            Assignee: Tsz Wo Nicholas Sze
>         Attachments: a.txt, c10398_20140310.patch
>
>
> {code}
> //KerberosAuthenticator.java
>       if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
>         LOG.debug("JDK performed authentication on our behalf.");
>         // If the JDK already did the SPNEGO back-and-forth for
>         // us, just pull out the token.
>         AuthenticatedURL.extractToken(conn, token);
>         return;
>       } else ...
> {code}
> The problem of the code above is that HTTP_OK does not implies authentication completed.
 We should check if the token can be extracted successfully.
> This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message