[jira] [Assigned] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang reassigned HADOOP-11837: Assignee: Bowen Zhang (was: Venkat Ranganathan) After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Bowen Zhang Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang updated HADOOP-11837: - Attachment: HADOOP-11837.patch After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Bowen Zhang Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch, HADOOP-11837.patch, HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang updated HADOOP-11837: - Attachment: HADOOP-11837.patch After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Bowen Zhang Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch, HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang updated HADOOP-11837: - Status: Patch Available (was: Open) After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13943219#comment-13943219 ] Bowen Zhang commented on HADOOP-10398: -- [~tucu00], when we disable anonymous request, the code works since {code} if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {code} evaluates to false because we get 401 back. When we allow anonymous, the above if statement returns true but there is no token. What is the special token you are talking about? KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13943820#comment-13943820 ] Bowen Zhang commented on HADOOP-10398: -- Overall, I think it's a bad design for oozie to use KerberosAuthenticator in a non-secure environment and expect hadoop client to fall back to PseudoAuthenticator. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13941430#comment-13941430 ] Bowen Zhang commented on HADOOP-10398: -- Can you give us more time before invalidating the jira? KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13941979#comment-13941979 ] Bowen Zhang commented on HADOOP-10398: -- We have 2 issues here: 1.Say, if we allow anonymous request and disable authorization like you mentioned above, then this flag -Doozie.auth.token.cache=false will determine whether the request can pick the right auth token. If you put -Doozie.auth.token.cache=false as part of your command line, then your request will not have token like this one u=bzhangp=bzhangt=simplee=1394524353045s=x/DrPWzyjbHP0KF57ta/5ZBrs+8= at all since we fail to fall back to PseudoAuthenticator in KerberosAuthenticator.java due to HADOOP-10078. While on the other hand, if we use auth token cache, we will pick up the right token from the cahce file. In production, we generally don't want to use the token cache since multiple different users on the same machine can mess up the token. 2, like [~rkanter] mentioned above, oozie.service.AuthorizationService.security.enabled and oozie.authentication.simple.anonymous.allowed are not mutually exclusive from oozie product point of view. When we allow anonymous request and enable authorization at the same time, we are merely saying anonymous users can view the web console or other job info, it's just we enforce only the owner and admin can kill/modify a job. The anonymous config has more to do with viewing oozie webconsole and the authorization config has more to do with who can modify a job, [~rkanter], do you agree? KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13942127#comment-13942127 ] Bowen Zhang commented on HADOOP-10398: -- [~rkanter], 1) in production, what you said is theoretically true. But, we do see customers share or mount the same directories on flubber. This is also probably why we have this -Doozie.auth.token.cache flag to begin with. 2) No, I don't have this problem when we don't set -Doozie.auth.token.cache to false. The core of the issue is this: when enabling security, to kill a job, there are two ways to set user.name which AuthorizationService.java will use to authorize operation in public void authorizeForJob(String user, String jobId, boolean write) throws AuthorizationException. One is to read the token cahe file, the other is through calling if (!currentToken.isSet()) { Authenticator authenticator = getAuthenticator(); try { new AuthenticatedURL(authenticator).openConnection(url, currentToken); } catch (AuthenticationException ex) { AUTH_TOKEN_CACHE_FILE.delete(); throw new OozieClientException(OozieClientException.AUTHENTICATION, Could not authenticate, + ex.getMessage(), ex); } } in authoozieclient.java. Due to hadoop-10078, we no longer get user.name anymore KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13942556#comment-13942556 ] Bowen Zhang commented on HADOOP-10398: -- [~tucu00], by looking at apache oozie trunk, oozie.authentication.simple.anonymous.allowed is set to true by default. And refer to your previous comment, If ANONYMOUS is enabled, then there is a token (cookie) and the respose is 200. This does not trigger a fallback. That is not true. We see response of 200 without a token when enabling ANONYMOUS. And the fact that there is token triggered our problem. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13942589#comment-13942589 ] Bowen Zhang commented on HADOOP-10398: -- correct my last statement from previous comment. It should be And the fact that there is no token triggered our problem. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940635#comment-13940635 ] Bowen Zhang commented on HADOOP-10398: -- When you try to kill or suspend an oozie job, and you enable the oozie.service.AuthorizationService.security.enabled in oozie-site.xml, then you need to put user info during authentication. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940713#comment-13940713 ] Bowen Zhang commented on HADOOP-10398: -- [~rkanter], can you jump into the discussion since you did the previous commit? KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940803#comment-13940803 ] Bowen Zhang commented on HADOOP-10398: -- [~rkanter], you are asking the right question. The user showing up as anonymous when killing the job because of this bug. If we fall back to PseudoAuthenticator, we will pick the system value user.name, so user will not be anonymous. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13940810#comment-13940810 ] Bowen Zhang commented on HADOOP-10398: -- the user who is killing the job is indeed the user who submitted the job. And the PseudoAuthenticator is supposed to pick up the user.name so on oozie server side, we know who the user is to authorize kill/suspend. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13939951#comment-13939951 ] Bowen Zhang commented on HADOOP-10398: -- the server is anonymous. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bowen Zhang updated HADOOP-10398: - Attachment: a.txt KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13935688#comment-13935688 ] Bowen Zhang commented on HADOOP-10398: -- I attached the tcp dump when issuing bin/oozie -Doozie.auth.token.cache=false job -oozie http://localhost:11000/oozie -kill 000-140314142500148-oozie-bzha-W command. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: a.txt, c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13926377#comment-13926377 ] Bowen Zhang commented on HADOOP-10398: -- This solved the problem. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078
[ https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13929745#comment-13929745 ] Bowen Zhang commented on HADOOP-10398: -- In oozie in an unsecured cluster, if you specify -Doozie.auth.token.cache=false to do a kill or suspend command, AuthOozieClient.java will call new AuthenticatedURL(authenticator).openConnection(url, currentToken); under createTokenBasedAuthConnection method. In KerberosAuthenticator.java, this line seems to be always returning true if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) even before the bug was introduced. KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078 --- Key: HADOOP-10398 URL: https://issues.apache.org/jira/browse/HADOOP-10398 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Tsz Wo Nicholas Sze Assignee: Tsz Wo Nicholas Sze Attachments: c10398_20140310.patch {code} //KerberosAuthenticator.java if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.extractToken(conn, token); return; } else ... {code} The problem of the code above is that HTTP_OK does not implies authentication completed. We should check if the token can be extracted successfully. This problem was reported by [~bowenzhangusa] in [this comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823] earlier. -- This message was sent by Atlassian JIRA (v6.2#6252)