hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4564) Webhdfs returns incorrect http response codes for denied operations
Date Mon, 27 Jan 2014 18:03:39 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883024#comment-13883024
] 

Alejandro Abdelnur commented on HDFS-4564:
------------------------------------------

[~daryn], the hadoop-auth part of the patch LGTM, but it should be a separate HADOOP JIRA.


Regarding not using the AuthenticatedUrl on the client side. Yes and No. When I've first implemented
hadoop-auth I was not aware JDK HttpURLConnection was triggering SPNEGO if you are in a DO-AS
block. When I found out that, and dug up a bit, I've found that the JDK HttpURLConnection
SPNEGO is not following the spec. The spec states that the client should send the {{Authorization:
Negotiate <TOKEN>}} header only when the server response has a {{WWW-Authenticate: Negotiate}},
but the JDK is doing this proactively on every request (as opposed to in response to {{WWW-Authenticate:
Negotiate}}). In theory this has a nice consequence, you don't need a extra round trip. In
practice it means that the client and server are exercising SPNEGO on every request. I never
had the time to investigate what exactly this means from performance perspective and interactions
with the KDC (client and server side). 

> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
>                 Key: HDFS-4564
>                 URL: https://issues.apache.org/jira/browse/HDFS-4564
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4564.branch-23.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's denying
operations.  Examples including rejecting invalid proxy user attempts and renew/cancel with
an invalid user.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message