[jira] [Assigned] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang reassigned HADOOP-11837: Assignee: Bowen Zhang (was: Venkat Ranganathan) After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Bowen Zhang Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang updated HADOOP-11837: - Attachment: HADOOP-11837.patch After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Bowen Zhang Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch, HADOOP-11837.patch, HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang updated HADOOP-11837: - Attachment: HADOOP-11837.patch After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Bowen Zhang Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch, HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang updated HADOOP-11837: - Status: Patch Available (was: Open) After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13943219#comment-13943219
]
Bowen Zhang commented on HADOOP-10398:
--
[~tucu00], when we disable anonymous request, the code works since
{code}
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK)
{code}
evaluates to false because we get 401 back. When we allow anonymous, the above
if statement returns true but there is no token. What is the special token you
are talking about?
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13943820#comment-13943820
]
Bowen Zhang commented on HADOOP-10398:
--
Overall, I think it's a bad design for oozie to use KerberosAuthenticator in a
non-secure environment and expect hadoop client to fall back to
PseudoAuthenticator.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13941430#comment-13941430
]
Bowen Zhang commented on HADOOP-10398:
--
Can you give us more time before invalidating the jira?
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13941979#comment-13941979
]
Bowen Zhang commented on HADOOP-10398:
--
We have 2 issues here:
1.Say, if we allow anonymous request and disable authorization like you
mentioned above, then this flag -Doozie.auth.token.cache=false will determine
whether the request can pick the right auth token. If you put
-Doozie.auth.token.cache=false as part of your command line, then your
request will not have token like this one
u=bzhangp=bzhangt=simplee=1394524353045s=x/DrPWzyjbHP0KF57ta/5ZBrs+8= at
all since we fail to fall back to PseudoAuthenticator in
KerberosAuthenticator.java due to HADOOP-10078. While on the other hand, if we
use auth token cache, we will pick up the right token from the cahce file. In
production, we generally don't want to use the token cache since multiple
different users on the same machine can mess up the token.
2, like [~rkanter] mentioned above,
oozie.service.AuthorizationService.security.enabled and
oozie.authentication.simple.anonymous.allowed are not mutually exclusive from
oozie product point of view. When we allow anonymous request and enable
authorization at the same time, we are merely saying anonymous users can view
the web console or other job info, it's just we enforce only the owner and
admin can kill/modify a job. The anonymous config has more to do with viewing
oozie webconsole and the authorization config has more to do with who can
modify a job,
[~rkanter], do you agree?
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13942127#comment-13942127
]
Bowen Zhang commented on HADOOP-10398:
--
[~rkanter], 1) in production, what you said is theoretically true. But, we do
see customers share or mount the same directories on flubber. This is also
probably why we have this -Doozie.auth.token.cache flag to begin with.
2) No, I don't have this problem when we don't set -Doozie.auth.token.cache
to false.
The core of the issue is this: when enabling security, to kill a job, there are
two ways to set user.name which AuthorizationService.java will use to
authorize operation in public void authorizeForJob(String user, String jobId,
boolean write) throws AuthorizationException. One is to read the token cahe
file, the other is through calling
if (!currentToken.isSet()) {
Authenticator authenticator = getAuthenticator();
try {
new AuthenticatedURL(authenticator).openConnection(url,
currentToken);
}
catch (AuthenticationException ex) {
AUTH_TOKEN_CACHE_FILE.delete();
throw new
OozieClientException(OozieClientException.AUTHENTICATION,
Could not authenticate, +
ex.getMessage(), ex);
}
}
in authoozieclient.java. Due to hadoop-10078, we no longer get user.name
anymore
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13942556#comment-13942556
]
Bowen Zhang commented on HADOOP-10398:
--
[~tucu00], by looking at apache oozie trunk,
oozie.authentication.simple.anonymous.allowed is set to true by default. And
refer to your previous comment, If ANONYMOUS is enabled, then there is a token
(cookie) and the respose is 200. This does not trigger a fallback. That is not
true. We see response of 200 without a token when enabling ANONYMOUS. And the
fact that there is token triggered our problem.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13942589#comment-13942589
]
Bowen Zhang commented on HADOOP-10398:
--
correct my last statement from previous comment. It should be And the fact
that there is no token triggered our problem.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940635#comment-13940635
]
Bowen Zhang commented on HADOOP-10398:
--
When you try to kill or suspend an oozie job, and you enable the
oozie.service.AuthorizationService.security.enabled in oozie-site.xml, then
you need to put user info during authentication.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940713#comment-13940713
]
Bowen Zhang commented on HADOOP-10398:
--
[~rkanter], can you jump into the discussion since you did the previous commit?
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940803#comment-13940803
]
Bowen Zhang commented on HADOOP-10398:
--
[~rkanter], you are asking the right question. The user showing up as anonymous
when killing the job because of this bug. If we fall back to
PseudoAuthenticator, we will pick the system value user.name, so user will
not be anonymous.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940810#comment-13940810
]
Bowen Zhang commented on HADOOP-10398:
--
the user who is killing the job is indeed the user who submitted the job. And
the PseudoAuthenticator is supposed to pick up the user.name so on oozie
server side, we know who the user is to authorize kill/suspend.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13939951#comment-13939951
]
Bowen Zhang commented on HADOOP-10398:
--
the server is anonymous.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Updated] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bowen Zhang updated HADOOP-10398:
-
Attachment: a.txt
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13935688#comment-13935688
]
Bowen Zhang commented on HADOOP-10398:
--
I attached the tcp dump when issuing bin/oozie -Doozie.auth.token.cache=false
job -oozie http://localhost:11000/oozie -kill
000-140314142500148-oozie-bzha-W command.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: a.txt, c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13926377#comment-13926377
]
Bowen Zhang commented on HADOOP-10398:
--
This solved the problem.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13929745#comment-13929745
]
Bowen Zhang commented on HADOOP-10398:
--
In oozie in an unsecured cluster, if you specify
-Doozie.auth.token.cache=false to do a kill or suspend command,
AuthOozieClient.java will call new
AuthenticatedURL(authenticator).openConnection(url, currentToken); under
createTokenBasedAuthConnection method. In KerberosAuthenticator.java, this line
seems to be always returning true if (conn.getResponseCode() ==
HttpURLConnection.HTTP_OK) even before the bug was introduced.
KerberosAuthenticator failed to fall back to PseudoAuthenticator after
HADOOP-10078
---
Key: HADOOP-10398
URL: https://issues.apache.org/jira/browse/HADOOP-10398
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Tsz Wo Nicholas Sze
Assignee: Tsz Wo Nicholas Sze
Attachments: c10398_20140310.patch
{code}
//KerberosAuthenticator.java
if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
LOG.debug(JDK performed authentication on our behalf.);
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.extractToken(conn, token);
return;
} else ...
{code}
The problem of the code above is that HTTP_OK does not implies authentication
completed. We should check if the token can be extracted successfully.
This problem was reported by [~bowenzhangusa] in [this
comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
