[
https://issues.apache.org/jira/browse/HADOOP-10850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14077932#comment-14077932
]
Daryn Sharp commented on HADOOP-10850:
--------------------------------------
Interesting. Let me look into the jdk code too. We had to remove
AuthenticatedURL because it was causing all kinds of problems like replay
attacks, retries when spnego failed for a completely valid reason, and
fallbacks to the pseudo authenticator causing the same thing.
Speaking wrt to webhdfs, POST/PUT isn't a problem because the client explicitly
does a "two-step write". The redirect that actually does the POST/PUT to DN
uses a token. Kerberos isn't valid because the DN's DFSClient must have a
token. Webhdfs also specifically requests a token on the first call, and
always uses it after that to avoid repeated spnego negotiations.
> KerberosAuthenticator should not do the SPNEGO handshake
> --------------------------------------------------------
>
> Key: HADOOP-10850
> URL: https://issues.apache.org/jira/browse/HADOOP-10850
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
>
> As mentioned in HADOOP-10453, the JDK automatically does a SPNEGO handshake
> when opening a connection with a URL within a Kerberos login context, there
> is no need to do the SPNEGO handshake in the {{KerberosAuthenticator}},
> simply extract the auth token (hadoop-auth cookie) and do the fallback if
> necessary.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
