[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13926108#comment-13926108 ] Tsz Wo Nicholas Sze commented on HADOOP-10078: -- I filed HADOOP-10398 for fixing the problem Bowen reported. KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Fix For: 2.3.0 Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13921342#comment-13921342 ] Suresh Srinivas commented on HADOOP-10078: -- [~tucu00], can you please take a look? KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Fix For: 2.3.0 Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13910724#comment-13910724 ] Suresh Srinivas commented on HADOOP-10078: -- [~tucu00], can you please responds to [~bowenzhangusa]? KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Fix For: 2.3.0 Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13822320#comment-13822320 ] Hudson commented on HADOOP-10078: - SUCCESS: Integrated in Hadoop-Yarn-trunk #391 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/391/]) HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) (tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720) * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Fix For: 2.2.1 Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13822411#comment-13822411 ] Hudson commented on HADOOP-10078: - FAILURE: Integrated in Hadoop-Mapreduce-trunk #1608 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1608/]) HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) (tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720) * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Fix For: 2.2.1 Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13822436#comment-13822436 ] Hudson commented on HADOOP-10078: - SUCCESS: Integrated in Hadoop-Hdfs-trunk #1582 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1582/]) HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) (tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720) * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Fix For: 2.2.1 Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13821795#comment-13821795 ] Alejandro Abdelnur commented on HADOOP-10078: - +1 KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13821855#comment-13821855 ] Hudson commented on HADOOP-10078: - SUCCESS: Integrated in Hadoop-trunk-Commit #4730 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/4730/]) HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) (tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1541720) * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Fix For: 2.2.1 Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO
[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810785#comment-13810785 ] Hadoop QA commented on HADOOP-10078: {color:green}+1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12611484/HADOOP-10078.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 1 new or modified test files. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages. {color:green}+1 eclipse:eclipse{color}. The patch built with eclipse:eclipse. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 core tests{color}. The patch passed unit tests in hadoop-common-project/hadoop-auth. {color:green}+1 contrib tests{color}. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3260//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3260//console This message is automatically generated. KerberosAuthenticator always does SPNEGO Key: HADOOP-10078 URL: https://issues.apache.org/jira/browse/HADOOP-10078 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.3-alpha Reporter: Robert Kanter Assignee: Robert Kanter Priority: Minor Attachments: HADOOP-10078.patch HADOOP-8883 made this change to {{KerberosAuthenticator}} {code:java} @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator { conn.setRequestMethod(AUTH_HTTP_METHOD); conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { + if (conn.getRequestProperty(AUTHORIZATION) != null conn.getResponseCode() == HttpURLConnection.HTTP_OK) { LOG.debug(JDK performed authentication on our behalf.); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. {code} to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the Authorization one that we're checking (see discussion [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). This means that it was always either calling {{doSpnegoSequence(token);}} or {{getFallBackAuthenticator().authenticate(url, token);}}, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place. In any case, I tried removing the Authorization check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1#6144)