> On 2011-11-24 01:42:37, Angelo K. Huang wrote: > > /trunk/docs/src/site/twiki/DG_CommandLineTool.twiki, line 92 > > <https://reviews.apache.org/r/2875/diff/2/?file=59629#file59629line92> > > > > We should let user decide what kind of auth he/she wants to use. Ex. > > > > -auth simple > > -auth kerberos > > Alejandro Abdelnur wrote: > The client does not decide the authentication of the server. > > For example, out of the box the client handles both kerberos and simple > and it will do what the server responds. > > If you see the KerberosAuthenticator implementation delegates to the > SimpleAuthenticator. > > If you have a custom mechanism you could do the same, delegating to > KerberosAuthenticator which in turn will delegate to SimpleAuthenticator. > > > > Angelo K. Huang wrote: > Actually, there is one case which could be tricky to implement. If I want > to implement one password authenticator which allow users type their unix > password, according to what you described above, this authenticator has to > delegate to kerberos authenticator. That means a user has to always type > password first and then fall back to kerberos even he/she intents to use > kerberos in the beginning. What if the password auth also allows users to > retype three times? If a user intents to use kerberos, he/she has to type > three times of wrong password to make it failed and then fall back to > kerberos.
well, in that case, if your first level auth is user/password auth, then to skip it you could use a system property when invoking Oozie CLI (ie -Dskip.password) and your password client authenticator would (in the presence of this system property) delegate directly to Kerberos without trying to get the password. That would be a way of solving that. Note that this is required because it is not the server in this case the one that is telling you the auth to use, it is the client that is trying to decide this. - Alejandro ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/2875/#review3498 ----------------------------------------------------------- On 2011-11-24 16:45:59, Alejandro Abdelnur wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/2875/ > ----------------------------------------------------------- > > (Updated 2011-11-24 16:45:59) > > > Review request for oozie. > > > Summary > ------- > > Using hadoop-auth (Alfredo) 0.23.0. > > Currently using SNAPSHOT because 0.23.0 artifacts have not be published to > Apache Maven repo yet. > > > This addresses bug OOZIE-77. > https://issues.apache.org/jira/browse/OOZIE-77 > > > Diffs > ----- > > /trunk/client/pom.xml 1205923 > /trunk/client/src/main/bin/oozie 1205923 > /trunk/client/src/main/java/org/apache/oozie/cli/OozieCLI.java 1205923 > /trunk/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java > PRE-CREATION > /trunk/core/pom.xml 1205923 > /trunk/core/src/main/conf/oozie-log4j.properties 1205923 > /trunk/core/src/main/conf/oozie-site.xml 1205923 > /trunk/core/src/main/java/org/apache/oozie/servlet/AuthFilter.java > PRE-CREATION > /trunk/core/src/main/resources/oozie-default.xml 1205923 > /trunk/core/src/test/java/org/apache/oozie/servlet/DagServletTestCase.java > 1205923 > > /trunk/core/src/test/java/org/apache/oozie/servlet/TestAuthFilterAuthOozieClient.java > PRE-CREATION > /trunk/docs/src/site/twiki/AG_Install.twiki 1205923 > /trunk/docs/src/site/twiki/DG_CommandLineTool.twiki 1205923 > /trunk/pom.xml 1205923 > /trunk/webapp/pom.xml 1205923 > /trunk/webapp/src/main/webapp/WEB-INF/web.xml 1205923 > > Diff: https://reviews.apache.org/r/2875/diff > > > Testing > ------- > > > Thanks, > > Alejandro > >
