[
https://issues.apache.org/jira/browse/HADOOP-10453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karthik Kambatla updated HADOOP-10453:
--------------------------------------
Target Version/s: 2.6.0 (was: 2.5.0)
(Moving this out of 2.5)
We can continue this conversation and handle this in 2.6.
> Do not use AuthenticatedURL in hadoop core
> ------------------------------------------
>
> Key: HADOOP-10453
> URL: https://issues.apache.org/jira/browse/HADOOP-10453
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Haohui Mai
> Priority: Blocker
>
> As [~daryn] has suggested in HDFS-4564:
> {quote}
> AuthenticatedURL is not used because it is buggy in part to causing replay
> attacks, double attempts to kerberos authenticate with the fallback
> authenticator if the TGT is expired, incorrectly uses the fallback
> authenticator (required by oozie servers) to add the username parameter which
> webhdfs has already included in the uri.
> AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK
> transparently does SPNEGO when the user's Subject (UGI) contains kerberos
> principals. Since AuthenticatedURL is now not used, webhdfs has to check the
> TGT itself for token operations.
> Bottom line is AuthenticatedURL is unnecessary and introduces nothing but
> problems for webhdfs. It's only useful for oozie's anon/non-anon support.
> {quote}
> However, several functionalities that relies on SPNEGO in secure mode suffer
> from the same problem. For example, NNs / JNs create HTTP connections to
> exchange fsimage and edit logs. Currently all of them are through
> {{AuthenticatedURL}}. This needs to be fixed to avoid security
> vulnerabilities.
> This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to
> move it to oozie.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
