[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13949977#comment-13949977
]
Jing Zhao edited comment on HDFS-4564 at 3/27/14 9:43 PM:
----------------------------------------------------------
# Why do we want to do this extra check for 401?
{code}
+ // server is demanding an authentication we don't support
+ if (code == HttpURLConnection.HTTP_UNAUTHORIZED) {
+ throw new IOException(
+ new AuthenticationException(conn.getResponseMessage()));
+ }
{code}
# I think the following check should be included in the shouldRetry method.
{code}
+ Throwable cause = ioe.getCause();
+ if (cause != null && cause instanceof AuthenticationException) {
+ throw ioe; // no retries for auth failures
+ }
{code}
# I guess the checkTGTAndReloginFromKeytab has been covered by the current
code? In the current implementation, before every operation webhdfsfs first
calls ensureTokenInitialized which fetches token if necessary. And in this
process before we open the connection, checkTGTAndReloginFromKeytab is called
if necessary. See URLConnectionFactory#openConnection(URL, boolean). If we want
to change this mechanism, I think we should open a separate jira to do it.
{code}
+ if (op.getRequireAuth()) {
+ connectUgi.checkTGTAndReloginFromKeytab();
+ }
{code}
was (Author: jingzhao):
# Why do we want to do this extra check for 401?
{code}
+ // server is demanding an authentication we don't support
+ if (code == HttpURLConnection.HTTP_UNAUTHORIZED) {
+ throw new IOException(
+ new AuthenticationException(conn.getResponseMessage()));
+ }
{code}
# I think the following check should be included in the shouldRetry method.
{code}
+ Throwable cause = ioe.getCause();
+ if (cause != null && cause instanceof AuthenticationException) {
+ throw ioe; // no retries for auth failures
+ }
{code}
# I guess the checkTGTAndReloginFromKeytab has been covered by the current
code? In the current implementation, before everywebhdfsfs first calls
ensureTokenInitialized which fetches token if necessary. And in this process
before we open the connection, checkTGTAndReloginFromKeytab is called if
necessary. See URLConnectionFactory#openConnection(URL, boolean). If we want to
change this mechanism, I think we should open a separate jira to do it.
{code}
+ if (op.getRequireAuth()) {
+ connectUgi.checkTGTAndReloginFromKeytab();
+ }
{code}
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch,
> HDFS-4564.branch-23.patch, HDFS-4564.patch, HDFS-4564.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
