hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
Date Mon, 17 Mar 2014 18:13:44 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13938137#comment-13938137
] 

Daryn Sharp commented on HADOOP-10398:
--------------------------------------

It's unfortunate that AuthenticatedURL didn't use Basic auth so the fallback authenticator
would only trigger on 401 basic.  We've internally removed AuthenticatedURL from webhdfs in
0.23 because server errors would trigger the fallback which tacks the username into the query
string and tries the request again, the jdk transparently attempted spnego again, which often
triggered kerberos replay attacks and caused the jdk to NPE.

> KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-10398
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10398
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Tsz Wo Nicholas Sze
>            Assignee: Tsz Wo Nicholas Sze
>         Attachments: a.txt, c10398_20140310.patch
>
>
> {code}
> //KerberosAuthenticator.java
>       if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
>         LOG.debug("JDK performed authentication on our behalf.");
>         // If the JDK already did the SPNEGO back-and-forth for
>         // us, just pull out the token.
>         AuthenticatedURL.extractToken(conn, token);
>         return;
>       } else ...
> {code}
> The problem of the code above is that HTTP_OK does not implies authentication completed.
 We should check if the token can be extracted successfully.
> This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message