[jira] [Commented] (HADOOP-8883) Anonymous fallback in KerberosAuthenticator is broken

Tue, 29 Oct 2013 11:01:21 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808241#comment-13808241
 ] 

Andrey Klochkov commented on HADOOP-8883:
-----------------------------------------

Robert, 
{{TestKerberosAuthenticator#testFallbacktoPseudoAuthenticatorAnonymous}} 
passes, but it doesn't verify the presence of the {{Authorization}} header, it 
verifies _absence_ of it. Effectively the check 
"conn.getRequestProperty(AUTHORIZATION) != null" would never succeed, so the 
first block in the code below would never be used. 

{code}
if (conn.getRequestProperty(AUTHORIZATION) != null && conn.getResponseCode() == 
HttpURLConnection.HTTP_OK) {
        LOG.debug("JDK performed authentication on our behalf.");
        // If the JDK already did the SPNEGO back-and-forth for
        // us, just pull out the token.
        AuthenticatedURL.extractToken(conn, token);
        return;
      } else if (isNegotiate()) {
        LOG.debug("Performing our own SPNEGO sequence.");
        doSpnegoSequence(token);
      } else {
        LOG.debug("Using fallback authenticator sequence.");
        getFallBackAuthenticator().authenticate(url, token);
      }
{code}

Can you please give me more context on why it is needed to do "manual" 
authorization, i.e. why JDK does not do the authentication every time, i.e. in 
what cases {{KerberosAuthenticator.doSpnegoSequence}}  should be used? I'm 
interested in this as we're fighting with a related issue - in some 
circumstances JDK just stops doing the authentication we rely on (it stops 
caching tokens), and so all requests associated with {{HttpOpParam.Op}} 
instances with {requreAuth==false}} start failing -- effectively, it's all 
operations except {{GETDELEGATIONTOKEN}}. If 
{{o.a.h.hdfs.web.URLConnectionFactory.openConnection}} used 
{{KerberosAuthenticator}} for all operations (not just getting delegation 
tokens), then we wouldn't have the problem. So I'm wondering who can shed some 
light on how JDK is supposed to handle that, and in what cases 
{{KerberosAuthenticator.doSpnegoSequence}} is really needed. Sorry, it's not 
related directly to this issue, I'm just trying to find who can have answers.

> Anonymous fallback in KerberosAuthenticator is broken
> -----------------------------------------------------
>
>                 Key: HADOOP-8883
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8883
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.3-alpha
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>              Labels: security
>             Fix For: 2.0.3-alpha
>
>         Attachments: HADOOP-8883.patch
>
>
> HADOOP-8855 changed KerberosAuthenticator to handle when the JDK did the 
> SPNEGO already; but this change broke using the fallback authenticator 
> (PseudoAuthenticator) with an anonymous user (see OOZIE-1010).  



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to