[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13954390#comment-13954390
]
Daryn Sharp commented on HDFS-4564:
-----------------------------------
bq. Correct me if I'm wrong, but it looks like the following code handles the
case you mentioned.
It does, but it creates an incredible noisy exception trace that reports the
failure as the response not being json. The specific throw provides a clean
"authenticated required" message.
bq. The current code also covers this for explicitly getting, renewing, or
canceling a token. Your patch changes this part and pass false to the url
factory so it bypasses the use of authenticated url (per your comments in
HADOOP-10301). Could you give more details how it works without using the
authenticated url?
The current code only checks the TGT implicitly via AuthenticatedURL. Prior to
this patch, AuthenticatedURL is only used for token operations. All other
operations do not use it since they authenticate with a token.
With this patch, AuthenticatedURL is not used because it is buggy in part to
causing replay attacks, double attempts to kerberos authenticate with the
fallback authenticator if the TGT is expired, incorrectly uses the fallback
authenticator (required by oozie servers) to add the username parameter which
webhdfs has already included in the uri. AuthenticatedURL's attempt to do
SPNEGO auth is a no-op because the JDK transparently does SPNEGO when the
user's Subject (UGI) contains kerberos principals. Since AuthenticatedURL is
now not used, webhdfs has to check the TGT itself for token operations.
Bottom line is AuthenticatedURL is unnecessary and introduces nothing but
problems for webhdfs. It's only useful for oozie's anon/non-anon support.
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch,
> HDFS-4564.branch-23.patch, HDFS-4564.patch, HDFS-4564.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
