[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883162#comment-13883162
]
Alejandro Abdelnur commented on HDFS-4564:
------------------------------------------
[~daryn], thx for sniffing around to see what s going on. So it seems the
{{KerberosAuthenticator}} (hadoop-auth Kerberos client side), could be
simplified to remove all the SPNEGO handshake and let the JDK do that provided
you are in a DO-AS block. The {{KerberosAuthenticator}} would simply extract
the AUTH_COOKIE into a hadoop-auth token cookie via
{{AuthenticatedURL.extractToken(conn, token)}} and delegate to the fallback if
no cookie is present. The presence of the hadoop-auth token cookie, when using
the AuthenticatedUrl, will skip completely the 'authentication' path in both
the client and the server side. Now, what we have to see is what happens when
you are UGI logged in but you don't to this within a DO-AS block.
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4564.branch-23.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
