[
https://issues.apache.org/jira/browse/HADOOP-13228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15309009#comment-15309009
]
Xiao Chen edited comment on HADOOP-13228 at 6/1/16 1:20 AM:
------------------------------------------------------------
Fix:
As talked with [~andrew.wang], given that the querystring is deprecated, we
don't need to support it in newly added functionalities. Hence, I simply put up
the fix to always put the DT to the request header, when conducting the 3
(get/renew/cancel) DT ops. The fix here is in {{DelegationTokenAuthenticator}}
because that's where the connection is created.
Test:
- Seems to me {{TestWebDelegationToken}} is the best place to test this.
(HADOOP-13155 will also test this from an end-to-end POV.)
- {{TestWebDelegationToken}} currently creates a bunch of fake classes to test.
To keep the change minimal, I added a new test for using DT, and added the
verification logic to the fake server classes.
- Existing tests pass because 1) when authToken is valid, no DT logic is
triggered. 2) When there's no DT, they fall back to the underlying auth
handler, which is again faked.
- I added a {{verifyHeader}} flag to control whether to check the request
header or not. This is because if we have an auth token, we don't care about DT
anymore. (So all existing tests don't need to verify header). If this is not
acceptable, I think we can also create a new DTAuthHandler stab for verifying
this.
- Added a log in DTAuthHandler, which I think is super helpful for debugging
this.
was (Author: xiaochen):
Fix:
As talked with [~andrew.wang], given that the querystring is deprecated, we
don't need to support it in newly added functionalities. Hence, I simply put up
the fix to always put the DT to the request header, when conducting the 3
(get/renew/cancel) DT ops. The fix here is in {{DelegationTokenAuthenticator}}
because that's where the connection is created.
Test:
- Seems to me {{TestWebDelegationToken}} is the best place to test this.
(HADOOP-13155 will also test this from an end-to-end POV.
- {{TestWebDelegationToken}} currently creates a bunch of fake classes to test.
To keep the change minimal, I added a new test for using DT, and added the
verification logic to the fake server classes.
- Existing tests pass because when there's no DT, they fall back to the
underlying auth handler, which is again faked.
- I added a {{verifyHeader}} flag to control whether to check the request
header or not. This is because if we have an auth token, we don't care about DT
anymore. (So all existing tests don't need to verify header). If this is not
acceptable, I think we can also create a new DTAuthHandler stab for verifying
this.
- Added a log in DTAuthHandler, which I think is super helpful for debugging
this.
> Add delegation token to the connection in DelegationTokenAuthenticator
> ----------------------------------------------------------------------
>
> Key: HADOOP-13228
> URL: https://issues.apache.org/jira/browse/HADOOP-13228
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Attachments: HADOOP-13228.01.patch
>
>
> Following [a comment from another
> jira|https://issues.apache.org/jira/browse/HADOOP-13155?focusedCommentId=15308715&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15308715],
> create this to specifically handle the delegation token renewal/cancellation
> bug in {{DelegationTokenAuthenticatedURL}} and
> {{DelegationTokenAuthenticator}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
