[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078

Thu, 20 Mar 2014 22:55:23 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13942826#comment-13942826
 ] 

Alejandro Abdelnur commented on HADOOP-10398:
---------------------------------------------

bq. But, we do see customers share or mount the same directories on flubber. 

Well, just tell them they are shooting themselves in their feet. They should 
not do that.

bq.  like Robert Kanter mentioned above, 
"oozie.service.AuthorizationService.security.enabled" and 
"oozie.authentication.simple.anonymous.allowed" are not mutually exclusive from 
oozie product point of view. When we allow anonymous request and enable 
authorization at the same time, we are merely saying anonymous users can view 
the web console or other job info, it's just we enforce only the owner and 
admin can kill/modify a job. The "anonymous" config has more to do with viewing 
oozie webconsole and the "authorization" config has more to do with who can 
modify a job,

Are we dealing here with the special authentication handling based on 
user-agent?


> KerberosAuthenticator failed to fall back to PseudoAuthenticator after 
> HADOOP-10078
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-10398
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10398
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Tsz Wo Nicholas Sze
>            Assignee: Tsz Wo Nicholas Sze
>         Attachments: a.txt, c10398_20140310.patch
>
>
> {code}
> //KerberosAuthenticator.java
>       if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
>         LOG.debug("JDK performed authentication on our behalf.");
>         // If the JDK already did the SPNEGO back-and-forth for
>         // us, just pull out the token.
>         AuthenticatedURL.extractToken(conn, token);
>         return;
>       } else ...
> {code}
> The problem of the code above is that HTTP_OK does not implies authentication 
> completed.  We should check if the token can be extracted successfully.
> This problem was reported by [~bowenzhangusa] in [this 
> comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
>  earlier.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to