[jira] [Updated] (HADOOP-10850) KerberosAuthenticator should not do the SPNEGO handshake

Wed, 30 Jul 2014 09:32:45 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-10850?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alejandro Abdelnur updated HADOOP-10850:
----------------------------------------

    Attachment: testorder.patch

[~daryn], I believe the tests are passing for you because the order they are 
running. If the {{testNotAuthenticated()}} runs before the 
{{testAuthenticated()}}, then localhost will be blacklisted as not supported, 
if the run in the opposite order, then things work because localhost is not 
blacklisted.

I'm attaching a patch with a new test {{TestX}} (based on the 
{{TestKerberosAuthenticator}} test) which demonstrates this, it has 2 methods: 
{{testOrderOk()}} and {{testOrderFailing()}}. these method simply invoke in 
diff order the original 2 testcases. 

*Using hadoop-auth client SPNEGO*:

Apply the {{testorder.patch}} patch on trunk and run  2 diff mvn test 
invocations, one running {{TestX#testOrderOk}} and the other running 
{{TestX#testOrderFailing}}:

{code}
$ mvn test -Dtest=TestX#testOrderOk

$ mvn test -Dtest=TestX#testOrderFailing
{code}
 
Both testcases run OK.

*Using JDK client SPNEGO*:

Apply both, the {{testorder.patch}} and the HADOOP-10850.patch, patches on 
trunk and run  2 diff mvn test invocations, one running {{TestX#testOrderOk}} 
and the other running {{TestX#testOrderFailing}}:

{code}
$ mvn test -Dtest=TestX#testOrderOk

$ mvn test -Dtest=TestX#testOrderFailing
{code}
 
Now one test fails.

This is using both Sun JDK6 and JDK7:

java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

java version "1.6.0_65"
Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609)
Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)





> KerberosAuthenticator should not do the SPNEGO handshake
> --------------------------------------------------------
>
>                 Key: HADOOP-10850
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10850
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-10850.patch, testFailures.png, testorder.patch
>
>
> As mentioned in HADOOP-10453, the JDK automatically does a SPNEGO handshake 
> when opening a connection with a URL within a Kerberos login context, there 
> is no need to do the SPNEGO handshake in the {{KerberosAuthenticator}}, 
> simply extract the auth token (hadoop-auth cookie) and do the fallback if 
> necessary.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to