[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Tsz Wo Nicholas Sze (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13926108#comment-13926108
 ] 

Tsz Wo Nicholas Sze commented on HADOOP-10078:
--

I filed HADOOP-10398 for fixing the problem Bowen reported.

 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Fix For: 2.3.0

 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Suresh Srinivas (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13921342#comment-13921342
 ] 

Suresh Srinivas commented on HADOOP-10078:
--

[~tucu00], can you please take a look?

 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Fix For: 2.3.0

 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Suresh Srinivas (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13910724#comment-13910724
 ] 

Suresh Srinivas commented on HADOOP-10078:
--

[~tucu00], can you please responds to [~bowenzhangusa]?

 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Fix For: 2.3.0

 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13822320#comment-13822320
 ] 

Hudson commented on HADOOP-10078:
-

SUCCESS: Integrated in Hadoop-Yarn-trunk #391 (See 
[https://builds.apache.org/job/Hadoop-Yarn-trunk/391/])
HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) 
(tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720)
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt


 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Fix For: 2.2.1

 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13822411#comment-13822411
 ] 

Hudson commented on HADOOP-10078:
-

FAILURE: Integrated in Hadoop-Mapreduce-trunk #1608 (See 
[https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1608/])
HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) 
(tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720)
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt


 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Fix For: 2.2.1

 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13822436#comment-13822436
 ] 

Hudson commented on HADOOP-10078:
-

SUCCESS: Integrated in Hadoop-Hdfs-trunk #1582 (See 
[https://builds.apache.org/job/Hadoop-Hdfs-trunk/1582/])
HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) 
(tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720)
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt


 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Fix For: 2.2.1

 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Alejandro Abdelnur (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13821795#comment-13821795
 ] 

Alejandro Abdelnur commented on HADOOP-10078:
-

+1

 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13821855#comment-13821855
 ] 

Hudson commented on HADOOP-10078:
-

SUCCESS: Integrated in Hadoop-trunk-Commit #4730 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/4730/])
HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) 
(tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720)
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt


 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Fix For: 2.2.1

 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Hadoop QA (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810785#comment-13810785
 ] 

Hadoop QA commented on HADOOP-10078:


{color:green}+1 overall{color}.  Here are the results of testing the latest 
attachment 
  http://issues.apache.org/jira/secure/attachment/12611484/HADOOP-10078.patch
  against trunk revision .

{color:green}+1 @author{color}.  The patch does not contain any @author 
tags.

{color:green}+1 tests included{color}.  The patch appears to include 1 new 
or modified test files.

{color:green}+1 javac{color}.  The applied patch does not increase the 
total number of javac compiler warnings.

{color:green}+1 javadoc{color}.  The javadoc tool did not generate any 
warning messages.

{color:green}+1 eclipse:eclipse{color}.  The patch built with 
eclipse:eclipse.

{color:green}+1 findbugs{color}.  The patch does not introduce any new 
Findbugs (version 1.3.9) warnings.

{color:green}+1 release audit{color}.  The applied patch does not increase 
the total number of release audit warnings.

{color:green}+1 core tests{color}.  The patch passed unit tests in 
hadoop-common-project/hadoop-auth.

{color:green}+1 contrib tests{color}.  The patch passed contrib unit tests.

Test results: 
https://builds.apache.org/job/PreCommit-HADOOP-Build/3260//testReport/
Console output: 
https://builds.apache.org/job/PreCommit-HADOOP-Build/3260//console

This message is automatically generated.

 KerberosAuthenticator always does SPNEGO
 

 Key: HADOOP-10078
 URL: https://issues.apache.org/jira/browse/HADOOP-10078
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.0.3-alpha
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Minor
 Attachments: HADOOP-10078.patch


 HADOOP-8883 made this change to {{KerberosAuthenticator}}
 {code:java}
 @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
 Authenticator {
conn.setRequestMethod(AUTH_HTTP_METHOD);
conn.connect();

 -  if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
 +  if (conn.getRequestProperty(AUTHORIZATION) != null  
 conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
  LOG.debug(JDK performed authentication on our behalf.);
  // If the JDK already did the SPNEGO back-and-forth for
  // us, just pull out the token.
 {code}
 to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
 inadvertently made the if statement always false because it turns out that 
 the JDK excludes some headers, including the Authorization one that we're 
 checking (see discussion 
 [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
   This means that it was always either calling {{doSpnegoSequence(token);}} 
 or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
 actually the old behavior that existed before HADOOP-8855 changed it in the 
 first place.
 In any case, I tried removing the Authorization check and Oozie still works 
 with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
 properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1#6144)