Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A8072106BA for ; Mon, 3 Nov 2014 18:09:35 +0000 (UTC) Received: (qmail 72944 invoked by uid 500); 3 Nov 2014 18:09:34 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 72894 invoked by uid 500); 3 Nov 2014 18:09:34 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 72883 invoked by uid 99); 3 Nov 2014 18:09:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Nov 2014 18:09:34 +0000 Date: Mon, 3 Nov 2014 18:09:34 +0000 (UTC) From: "Yongjun Zhang (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194809#comment-14194809 ] Yongjun Zhang commented on HADOOP-10895: ---------------------------------------- HI [~tucu00], Thanks a lot for your input. The problem is that {{AuthenticatedURL}} creates authenticator when client code doesn't pass one, {code} public AuthenticatedURL(Authenticator authenticator, ConnectionConfigurator connConfigurator) { try { if (authenticator != null) { this.authenticator = authenticator; } else { // use default authenticator this.authenticator = DEFAULT_AUTHENTICATOR.newInstance(); <== this is where the default authenticator is created } ... {code} we somehow need to let AuthenticatedURL know whether to create an authenticator that allows fallback or not. Certainly this is relevant only when the authenticator is KerberosAuthenticator. Since user is allowed to set the default authenticator type, and {{AuthenticatedURL}} doesn't really care what authenticator type it is creating. Are you suggesting that we can change AuthenticatedURL to not create authenticator in the above code, and instead, to retrieve the static version from the corresponding authenticator class? I can make this change to {{AuthenticatedURL}}, I wonder whether there is any compatibility concern of doing so? Thanks. > HTTP KerberosAuthenticator fallback should have a flag to disable it > -------------------------------------------------------------------- > > Key: HADOOP-10895 > URL: https://issues.apache.org/jira/browse/HADOOP-10895 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.4.1 > Reporter: Alejandro Abdelnur > Assignee: Yongjun Zhang > Priority: Blocker > Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch, HADOOP-10895.004.patch > > > Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly to the one that was introduced in Hadoop RPC client with HADOOP-9698. -- This message was sent by Atlassian JIRA (v6.3.4#6332)