[jira] [Commented] (HADOOP-10078) KerberosAuthenticator always does SPNEGO

[Bowen Zhang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13896823#comment-13896823
 ] 

Bowen Zhang commented on HADOOP-10078:
--------------------------------------

After HADOOP-10078, oozie kill/suspend and proxyUser service throw "user[?] 
null" error under non-secure environment while not using auth-token file. The 
root cause is that Kerberos Authenticator fails to fall back to 
PseudoAuthenticator to set the token for user, therefore the server side code 
doesn't know who the user is.

> KerberosAuthenticator always does SPNEGO
> ----------------------------------------
>
>                 Key: HADOOP-10078
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10078
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.3-alpha
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Minor
>             Fix For: 2.3.0
>
>         Attachments: HADOOP-10078.patch
>
>
> HADOOP-8883 made this change to {{KerberosAuthenticator}}
> {code:java}
> @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements 
> Authenticator {
>        conn.setRequestMethod(AUTH_HTTP_METHOD);
>        conn.connect();
>        
> -      if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
> +      if (conn.getRequestProperty(AUTHORIZATION) != null && 
> conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
>          LOG.debug("JDK performed authentication on our behalf.");
>          // If the JDK already did the SPNEGO back-and-forth for
>          // us, just pull out the token.
> {code}
> to fix OOZIE-1010.  However, as [~aklochkov] pointed out recently, this 
> inadvertently made the if statement always false because it turns out that 
> the JDK excludes some headers, including the "Authorization" one that we're 
> checking (see discussion 
> [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]).
>   This means that it was always either calling {{doSpnegoSequence(token);}} 
> or {{getFallBackAuthenticator().authenticate(url, token);}}, which is 
> actually the old behavior that existed before HADOOP-8855 changed it in the 
> first place.
> In any case, I tried removing the "Authorization" check and Oozie still works 
> with and without Kerberos; the NPE reported in OOZIE-1010 has since been 
> properly fixed due as a side effect for a similar issue in OOZIE-1368.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)