[ https://issues.apache.org/jira/browse/HADOOP-10453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karthik Kambatla updated HADOOP-10453: -------------------------------------- Target Version/s: 2.6.0 (was: 2.5.0) (Moving this out of 2.5) We can continue this conversation and handle this in 2.6. > Do not use AuthenticatedURL in hadoop core > ------------------------------------------ > > Key: HADOOP-10453 > URL: https://issues.apache.org/jira/browse/HADOOP-10453 > Project: Hadoop Common > Issue Type: Bug > Reporter: Haohui Mai > Priority: Blocker > > As [~daryn] has suggested in HDFS-4564: > {quote} > AuthenticatedURL is not used because it is buggy in part to causing replay > attacks, double attempts to kerberos authenticate with the fallback > authenticator if the TGT is expired, incorrectly uses the fallback > authenticator (required by oozie servers) to add the username parameter which > webhdfs has already included in the uri. > AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK > transparently does SPNEGO when the user's Subject (UGI) contains kerberos > principals. Since AuthenticatedURL is now not used, webhdfs has to check the > TGT itself for token operations. > Bottom line is AuthenticatedURL is unnecessary and introduces nothing but > problems for webhdfs. It's only useful for oozie's anon/non-anon support. > {quote} > However, several functionalities that relies on SPNEGO in secure mode suffer > from the same problem. For example, NNs / JNs create HTTP connections to > exchange fsimage and edit logs. Currently all of them are through > {{AuthenticatedURL}}. This needs to be fixed to avoid security > vulnerabilities. > This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to > move it to oozie. -- This message was sent by Atlassian JIRA (v6.2#6252)