[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883024#comment-13883024
]
Alejandro Abdelnur commented on HDFS-4564:
------------------------------------------
[~daryn], the hadoop-auth part of the patch LGTM, but it should be a separate
HADOOP JIRA.
Regarding not using the AuthenticatedUrl on the client side. Yes and No. When
I've first implemented hadoop-auth I was not aware JDK HttpURLConnection was
triggering SPNEGO if you are in a DO-AS block. When I found out that, and dug
up a bit, I've found that the JDK HttpURLConnection SPNEGO is not following the
spec. The spec states that the client should send the {{Authorization:
Negotiate <TOKEN>}} header only when the server response has a
{{WWW-Authenticate: Negotiate}}, but the JDK is doing this proactively on every
request (as opposed to in response to {{WWW-Authenticate: Negotiate}}). In
theory this has a nice consequence, you don't need a extra round trip. In
practice it means that the client and server are exercising SPNEGO on every
request. I never had the time to investigate what exactly this means from
performance perspective and interactions with the KDC (client and server side).
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4564.branch-23.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
