hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yongjun Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Tue, 04 Nov 2014 08:22:35 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14195872#comment-14195872

Yongjun Zhang commented on HADOOP-10895:

HI Guys,

Thanks a lot for the review/feedback/discussion so far.

HI [~tucu00],

To address yours comments, I uploaded a slightly modified version of rev3 (rev3v1) with a
{{getDefaultAuthenticatorInstance}} method. 

About your suggestion,
IMO, the fallback is a concern of the {{KerberosAuthenticator}}, not of the {{AuthenticatedURL}}.
I would add the methods, both static and instance versions, to the KerberosAuthenticator,
and instance version to the DelegationTokenKerberosAuthenticator (the static version will
feed from the KerberosAuthenticator.

I agree that only {{KerberosAuthenticator}} and {{DelegationTokenKerberosAuthenticator}} are
relevant here.  Please notice that in rev3 all the authenticator types have the instance interface
(see Authenticator.java) in rev3.   The remaining thing that I would like to discuss a bit
more is about where to put the static version interface. 

Assume that we put the static interface to the two classes {{KerberosAuthenticator}} and {{DelegationTokenKerberosAuthenticator}}.
The type of the default authenticator in AuthenticatedURL (and DelegationTokenAuthenticatedURL)
may or may not be these two
classes because the client code is allowed to set the default authenticator type. That means,
when AuthenticatedURL create a default authenticator, it need to check the type of the authenticator
and do things differently for different types, I'm worried that this may not be that clean.
 So I haven't done this yet.

I intend to use patch rev3v1 for further discussion.  Many thanks for taking a look and comment

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch,
HADOOP-10895.003v1.patch, HADOOP-10895.004.patch
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.

This message was sent by Atlassian JIRA

View raw message