[
https://issues.apache.org/jira/browse/HADOOP-10453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14063487#comment-14063487
]
Alejandro Abdelnur commented on HADOOP-10453:
---------------------------------------------
The double SPNEGO authentication issue Daryn refers to is a problem of the
KerberosAuthenticator, he is correct when stating that JDK does automatically
SPNEGO when within a Kerberos login context, just created HADOOP-10850 for it.
Regarding removing {{AuthenticatedURL}} altogether, I disagree on that. The
fallback functionality is useful, HttpFS uses it for testing and now KMS is
using it as well, plus YARN RM and TimelineServer. So we should work on fixing
it, rather than trashing it.
In addition, with the work that I'm doing in HADOOP-10799 (adding delegation
token support) & HADOOP-10835 (adding proxy user support) it simplifies
significantly the client side code eliminating a big chunk of repetitive
security related code that currently is done by the component doing HTTP calls
instead by a security library.
> Do not use AuthenticatedURL in hadoop core
> ------------------------------------------
>
> Key: HADOOP-10453
> URL: https://issues.apache.org/jira/browse/HADOOP-10453
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Haohui Mai
> Priority: Blocker
>
> As [~daryn] has suggested in HDFS-4564:
> {quote}
> AuthenticatedURL is not used because it is buggy in part to causing replay
> attacks, double attempts to kerberos authenticate with the fallback
> authenticator if the TGT is expired, incorrectly uses the fallback
> authenticator (required by oozie servers) to add the username parameter which
> webhdfs has already included in the uri.
> AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK
> transparently does SPNEGO when the user's Subject (UGI) contains kerberos
> principals. Since AuthenticatedURL is now not used, webhdfs has to check the
> TGT itself for token operations.
> Bottom line is AuthenticatedURL is unnecessary and introduces nothing but
> problems for webhdfs. It's only useful for oozie's anon/non-anon support.
> {quote}
> However, several functionalities that relies on SPNEGO in secure mode suffer
> from the same problem. For example, NNs / JNs create HTTP connections to
> exchange fsimage and edit logs. Currently all of them are through
> {{AuthenticatedURL}}. This needs to be fixed to avoid security
> vulnerabilities.
> This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to
> move it to oozie.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
