[
https://issues.apache.org/jira/browse/HADOOP-10453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14056609#comment-14056609
]
Haohui Mai commented on HADOOP-10453:
-------------------------------------
I'm okay to move it out. [~daryn], can you share your insights on this issue?
> Do not use AuthenticatedURL in hadoop core
> ------------------------------------------
>
> Key: HADOOP-10453
> URL: https://issues.apache.org/jira/browse/HADOOP-10453
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Haohui Mai
> Priority: Blocker
>
> As [~daryn] has suggested in HDFS-4564:
> {quote}
> AuthenticatedURL is not used because it is buggy in part to causing replay
> attacks, double attempts to kerberos authenticate with the fallback
> authenticator if the TGT is expired, incorrectly uses the fallback
> authenticator (required by oozie servers) to add the username parameter which
> webhdfs has already included in the uri.
> AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK
> transparently does SPNEGO when the user's Subject (UGI) contains kerberos
> principals. Since AuthenticatedURL is now not used, webhdfs has to check the
> TGT itself for token operations.
> Bottom line is AuthenticatedURL is unnecessary and introduces nothing but
> problems for webhdfs. It's only useful for oozie's anon/non-anon support.
> {quote}
> However, several functionalities that relies on SPNEGO in secure mode suffer
> from the same problem. For example, NNs / JNs create HTTP connections to
> exchange fsimage and edit logs. Currently all of them are through
> {{AuthenticatedURL}}. This needs to be fixed to avoid security
> vulnerabilities.
> This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to
> move it to oozie.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
