hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Mon, 03 Nov 2014 19:56:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194994#comment-14194994

Robert Kanter commented on HADOOP-10895:

[~tucu00], changing the default to not allow fallback will break anybody relying on that behavior.
 For example, the Oozie client.  It would be okay if we had a config property to change it
back, as this would allow the Oozie client to compile against this version of hadoop-auth
and prior versions without any code changes.  However, it looks like we can't do that, and
a method will have to be called.  This means that projects depending on this fallback behavior
either have to stick to only an older version of hadoop-auth or only a newer version, which
makes things more difficult.  
Why can't we keep the fallback enabled by default, and a method call to disable it?  This
shouldn't be a security problem because if you only want Kerberos, the server should only
use the KerberosAuthenticationHandler, which IIRC, won't allow pseudo auth, even if the client
falls back and tries to use it, right?

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch,
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.

This message was sent by Atlassian JIRA

View raw message