hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yongjun Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Sun, 02 Nov 2014 07:08:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14193743#comment-14193743
] 

Yongjun Zhang commented on HADOOP-10895:
----------------------------------------

HI [~rkanter] and [~hitliuyi],

Thanks a lot for your earlier review and comments. I uploaded rev 004 to address them.

{quote}
In TestPseudoAuthenticator, you don't need to change the fallback to true. 
{quote}
Done. 

{quote}
It looks like most of the tests enable the fallback behavior. If the default is going to be
not to fallback, I think the tests should be updated to not require falling back (unless the
test is specifically testing something that requires fallback to be enabled).
{quote}
Indeed quite some existing testcases count on the fallback behaviour. Enabling the config
property make them to pass. So this indicates that the old behaviour is not broken as long
as we enable the config property. I agree that we should have some tests that don't count
on the fallback, however, I expect there should be some tests like that already (those I don't
have to fix because they succeeded without fallback), because the fallback is just a fallback
after all. I will probably dig some more to find some of those tests out. 

{quote}
Can you add a test that verifies that you can't fallback when it's disabled?
{quote}
Added 
{code}
@Test(expected=AuthenticationException.class)
  public void testDisallowFallbacktoPseudoAuthenticatorFail()
{code}

{quote}
Setting "ipc.client.fallback-to-simple-auth-allowed"...
{quote}
In the new rev I made it a requirement to pass the default authenticator to the constructor
of AuthenticatedURL, because it's not easy to pass the config property to the  old default
authenticator implemented in AuthenicatedURL. I hope this can work better.

Thanks for taking further look at the new rev.














> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch,
HADOOP-10895.004.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message