[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13949757#comment-13949757
]
Tsz Wo Nicholas Sze commented on HADOOP-10398:
----------------------------------------------
[~tucu00], in Bowen's use case, there is an expired token with a valid
username. The client doesn't want to be authenticated as anonymous. However,
the auth filter somehow authenticates the client as anonymous. Returning an
error (so that the client could retry with user.name) or taking the username
from the token is fine.
> ... anonymous means 'we don't expect the username to be known at all' ...
I don't understand the statement above. Do you mean that the client should not
provide user.name?
> KerberosAuthenticator failed to fall back to PseudoAuthenticator after
> HADOOP-10078
> -----------------------------------------------------------------------------------
>
> Key: HADOOP-10398
> URL: https://issues.apache.org/jira/browse/HADOOP-10398
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Tsz Wo Nicholas Sze
> Assignee: Tsz Wo Nicholas Sze
> Attachments: a.txt, c10398_20140310.patch
>
>
> {code}
> //KerberosAuthenticator.java
> if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
> LOG.debug("JDK performed authentication on our behalf.");
> // If the JDK already did the SPNEGO back-and-forth for
> // us, just pull out the token.
> AuthenticatedURL.extractToken(conn, token);
> return;
> } else ...
> {code}
> The problem of the code above is that HTTP_OK does not implies authentication
> completed. We should check if the token can be extracted successfully.
> This problem was reported by [~bowenzhangusa] in [this
> comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
> earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
