[
https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13464217#comment-13464217
]
Andy Isaacson commented on HADOOP-8855:
---------------------------------------
I tested Todd's patch on a cluster with various permutations of krb5 and SSL.
With the patched JAR, all of my tests passed.
- hadoop.security.authentication=kerberos hadoop.ssl.enabled=true: dfsadmin
-fetchImage works.
- hadoop.security.authentication=simple hadoop.ssl.enabled=true: fetchImage
works.
- hadoop.security.authentication=kerberos hadoop.ssl.enabled=false: fetchImage
works.
I also duplicated Todd's observation that {{dfsadmin -fetchImage}} does not
work on krb5 without the doAs.
> SSL-based image transfer does not work when Kerberos is disabled
> ----------------------------------------------------------------
>
> Key: HADOOP-8855
> URL: https://issues.apache.org/jira/browse/HADOOP-8855
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.0.0, 2.0.2-alpha
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Minor
> Attachments: hadoop-8855.txt, hadoop-8855.txt, hadoop-8855.txt
>
>
> In SecurityUtil.openSecureHttpConnection, we first check
> {{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the
> kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we
> should check {{HttpConfig.isSecure()}}.
> Credit to Wing Yew Poon for discovering this bug
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
