[
https://issues.apache.org/jira/browse/HADOOP-13316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347652#comment-15347652
]
Xiao Chen edited comment on HADOOP-13316 at 6/24/16 3:57 AM:
-------------------------------------------------------------
Patch 1 to fix this, with test cases that fail-before, pass-after.
Manually verified #3 fails in the above scenario with this change.
Thanks [~atm] for helping me understand the concept and [~andrew.wang] for
suggesting to create a blocker.
was (Author: xiaochen):
Patch 1 to fix this, with test cases that fail-before, pass-after.
Manually verified #3 fails in the above scenario with this change..
> Delegation Tokens should not be renewed or retrived using delegation token
> authentication
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-13316
> URL: https://issues.apache.org/jira/browse/HADOOP-13316
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms, security
> Affects Versions: 2.6.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Priority: Blocker
> Attachments: HADOOP-13316.01.patch
>
>
> Delegation tokens are supposed to be exchanged in a secure authentication,
> for security concerns.
> For example, HDFS [only distribute or renew a delegation token under kerberos
> authentication|https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java#L5164]
> {{DelegationTokenAuthenticationHandler}} used by KMS + HTTPFS doesn't follow
> this now, and poses security concerns. Details in comments.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
