[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13941979#comment-13941979
]
Bowen Zhang commented on HADOOP-10398:
--------------------------------------
We have 2 issues here:
1.Say, if we allow anonymous request and disable authorization like you
mentioned above, then this flag "-Doozie.auth.token.cache=false" will determine
whether the request can pick the right auth token. If you put
"-Doozie.auth.token.cache=false" as part of your command line, then your
request will not have token like this one
"u=bzhang&p=bzhang&t=simple&e=1394524353045&s=x/DrPWzyjbHP0KF57ta/5ZBrs+8=" at
all since we fail to fall back to PseudoAuthenticator in
KerberosAuthenticator.java due to HADOOP-10078. While on the other hand, if we
use auth token cache, we will pick up the right token from the cahce file. In
production, we generally don't want to use the token cache since multiple
different users on the same machine can mess up the token.
2, like [~rkanter] mentioned above,
"oozie.service.AuthorizationService.security.enabled" and
"oozie.authentication.simple.anonymous.allowed" are not mutually exclusive from
oozie product point of view. When we allow anonymous request and enable
authorization at the same time, we are merely saying anonymous users can view
the web console or other job info, it's just we enforce only the owner and
admin can kill/modify a job. The "anonymous" config has more to do with viewing
oozie webconsole and the "authorization" config has more to do with who can
modify a job,
[~rkanter], do you agree?
> KerberosAuthenticator failed to fall back to PseudoAuthenticator after
> HADOOP-10078
> -----------------------------------------------------------------------------------
>
> Key: HADOOP-10398
> URL: https://issues.apache.org/jira/browse/HADOOP-10398
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Tsz Wo Nicholas Sze
> Assignee: Tsz Wo Nicholas Sze
> Attachments: a.txt, c10398_20140310.patch
>
>
> {code}
> //KerberosAuthenticator.java
> if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
> LOG.debug("JDK performed authentication on our behalf.");
> // If the JDK already did the SPNEGO back-and-forth for
> // us, just pull out the token.
> AuthenticatedURL.extractToken(conn, token);
> return;
> } else ...
> {code}
> The problem of the code above is that HTTP_OK does not implies authentication
> completed. We should check if the token can be extracted successfully.
> This problem was reported by [~bowenzhangusa] in [this
> comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
> earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
