[
https://issues.apache.org/jira/browse/HADOOP-9461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Harsh J resolved HADOOP-9461.
-----------------------------
Resolution: Won't Fix
Not an issue on trunk/branch-2.
> JobTracker and NameNode both grant delegation tokens to non-secure clients
> --------------------------------------------------------------------------
>
> Key: HADOOP-9461
> URL: https://issues.apache.org/jira/browse/HADOOP-9461
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Harsh J
> Assignee: Harsh J
> Priority: Minor
>
> If one looks at the MAPREDUCE-1516 added logic in JobTracker.java's
> isAllowedDelegationTokenOp() method, and apply non-secure states of
> UGI.isSecurityEnabled == false and authMethod == SIMPLE, the return result is
> true when the intention is false (due to the shorted conditionals).
> This is allowing non-secure JobClients to easily request and use
> DelegationTokens and cause unwanted errors to be printed in the JobTracker
> when the renewer attempts to run. Ideally such clients ought to get an error
> if they request a DT in non-secure mode.
> HDFS in trunk and branch-1 both too have the same problem. Trunk MR
> (HistoryServer) and YARN are however, unaffected due to a simpler, inlined
> logic instead of reuse of this faulty method.
> Note that fixing this will break Oozie today, due to the merged logic of
> OOZIE-734. Oozie will require a fix as well if this is to be fixed in
> branch-1. As a result, I'm going to mark this as an Incompatible Change.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
