hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Sat, 01 Nov 2014 00:38:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14192826#comment-14192826

Robert Kanter commented on HADOOP-10895:

I took a closer look and had a few comments:
# In {{TestPseudoAuthenticator}}, you don't need to change the fallback to {{true}}.  The
{{PseudoAuthenticator}} can't actually fallback (in fact, the setter doesn't do anything).
# It looks like most of the tests enable the fallback behavior.  If the default is going to
be not to fallback, I think the tests should be updated to not require falling back (unless
the test is specifically testing something that requires fallback to be enabled).
# Can you add a test that verifies that you can't fallback when it's disabled?
# Setting "ipc.client.fallback-to-simple-auth-allowed" is only going to work for the KMS.
 If I want to create a {{KerberosAuthenticator}} that allows fallback, I have to call the
{{setAllowDefaultAuthToFallbackToPseudo}} method.  However, once I add that call, if I also
wanted to allow my code to be compiled against a previous version of Hadoop, it won't compile
now.  The nice thing about having a property config to enable/disable this is that it doesn't
breaking compiling.  In other words, it would be nice if I could set a property config to
enable the fallback: this would allow the fallback going forward but still allow the code
to work with earlier Hadoop versions (they would just ignore the property).

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.

This message was sent by Atlassian JIRA

View raw message