[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883095#comment-13883095
]
Daryn Sharp commented on HDFS-4564:
-----------------------------------
I just sniffed our secure clusters doing a hadoop fs ls. It did not prefetch
service tickets. The server requested spnego for the getDelegationToken
request, client sent service ticket. The client then sent a file stat and list
status. Both operations sent the delegation token sans a service ticket. This
is with JDK7 although different JDKs may have different behavior.
I'm not sure it would be easy to ensure the client never does a pre-fetch of a
service ticket -- assuming other JDKs do that. About the only way I can
conceive of is create a new subject/ugi with only the token. Token ops use the
current user, whereas other ops use the new subject. I'm not necessarily
suggesting this approach...
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4564.branch-23.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
