[jira] [Commented] (HADOOP-10850) KerberosAuthenticator should not do the SPNEGO handshake

Tue, 29 Jul 2014 13:39:07 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14078312#comment-14078312
 ] 

Alejandro Abdelnur commented on HADOOP-10850:
---------------------------------------------

{{NegotiatorImpl}} constructor throws the exception calling its {{init()}} 
method if you are not within a Keberos login context:

{code}
    private void init(final String hostname, String scheme) throws GSSException 
{
        // "1.2.840.113554.1.2.2" Kerberos
        // "1.3.6.1.5.5.2" SPNEGO
        final Oid oid;
        
        if (scheme.equalsIgnoreCase("Kerberos")) {
            // we can only use Kerberos mech when the scheme is kerberos
            oid = GSSUtil.GSS_KRB5_MECH_OID;
        } else {
            String pref = (String)java.security.AccessController.doPrivileged( 
                    new java.security.PrivilegedAction() {
                        public Object run() {
                            return System.getProperty(
                                "http.auth.preference",
                                "spnego");
                        }
                    });
            if (pref.equalsIgnoreCase("kerberos")) {
                oid = GSSUtil.GSS_KRB5_MECH_OID;
            } else {
                // currently there is no 3rd mech we can use
                oid = GSSUtil.GSS_SPNEGO_MECH_OID;
            }
        }
        
        GSSManagerImpl manager = new GSSManagerImpl(
                GSSUtil.CALLER_HTTP_NEGOTIATE);

        String peerName = "HTTP/" + hostname;

        GSSName serverName = manager.createName(peerName, null);
        context = manager.createContext(serverName,
                                        oid,
                                        null,
                                        GSSContext.DEFAULT_LIFETIME);
        
        context.requestCredDeleg(true);
        oneToken = context.initSecContext(new byte[0], 0, 0);
    }
{code}


> KerberosAuthenticator should not do the SPNEGO handshake
> --------------------------------------------------------
>
>                 Key: HADOOP-10850
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10850
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>
> As mentioned in HADOOP-10453, the JDK automatically does a SPNEGO handshake 
> when opening a connection with a URL within a Kerberos login context, there 
> is no need to do the SPNEGO handshake in the {{KerberosAuthenticator}}, 
> simply extract the auth token (hadoop-auth cookie) and do the fallback if 
> necessary.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to