Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3748F11C03 for ; Fri, 18 Jul 2014 01:53:31 +0000 (UTC) Received: (qmail 8513 invoked by uid 500); 18 Jul 2014 01:53:30 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 8470 invoked by uid 500); 18 Jul 2014 01:53:30 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 8457 invoked by uid 99); 18 Jul 2014 01:53:30 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Jul 2014 01:53:30 +0000 Date: Fri, 18 Jul 2014 01:53:30 +0000 (UTC) From: "Aaron T. Myers (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-10453) Do not use AuthenticatedURL in hadoop core MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-10453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aaron T. Myers updated HADOOP-10453: ------------------------------------ Priority: Major (was: Blocker) I'm lowering the prio of this from major. I think we all agree that it's an issue that we should address, but I see no reason this should be considered a blocker. > Do not use AuthenticatedURL in hadoop core > ------------------------------------------ > > Key: HADOOP-10453 > URL: https://issues.apache.org/jira/browse/HADOOP-10453 > Project: Hadoop Common > Issue Type: Bug > Reporter: Haohui Mai > > As [~daryn] has suggested in HDFS-4564: > {quote} > AuthenticatedURL is not used because it is buggy in part to causing replay attacks, double attempts to kerberos authenticate with the fallback authenticator if the TGT is expired, incorrectly uses the fallback authenticator (required by oozie servers) to add the username parameter which webhdfs has already included in the uri. > AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK transparently does SPNEGO when the user's Subject (UGI) contains kerberos principals. Since AuthenticatedURL is now not used, webhdfs has to check the TGT itself for token operations. > Bottom line is AuthenticatedURL is unnecessary and introduces nothing but problems for webhdfs. It's only useful for oozie's anon/non-anon support. > {quote} > However, several functionalities that relies on SPNEGO in secure mode suffer from the same problem. For example, NNs / JNs create HTTP connections to exchange fsimage and edit logs. Currently all of them are through {{AuthenticatedURL}}. This needs to be fixed to avoid security vulnerabilities. > This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to move it to oozie. -- This message was sent by Atlassian JIRA (v6.2#6252)