[jira] [Commented] (HADOOP-10398) KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078

Wed, 12 Mar 2014 16:06:24 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13932608#comment-13932608
 ] 

Daryn Sharp commented on HADOOP-10398:
--------------------------------------

This patch is wrong.  Please don't commit anything w/o me commenting.  I've had 
to do a lot of internal work on webhdfs related to authentication, and I can 
tell you AuthenticatedUrl is riddled with bugs and this doesn't appear to be a 
solution.

If you get a 200 OK, that _always_ means you are authenticated.  The JDK is 
going to spnego authenticate you automatically.  If you get a 200, there is no 
need to use a fallback authenticator.  The only time a fallback is necessary is 
if you receive a 401 with WWW-Authenticate != negotiate.  If it's negotiate, 
then it means you don't have kerberos credentials.

> KerberosAuthenticator failed to fall back to PseudoAuthenticator after 
> HADOOP-10078
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-10398
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10398
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Tsz Wo Nicholas Sze
>            Assignee: Tsz Wo Nicholas Sze
>         Attachments: c10398_20140310.patch
>
>
> {code}
> //KerberosAuthenticator.java
>       if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
>         LOG.debug("JDK performed authentication on our behalf.");
>         // If the JDK already did the SPNEGO back-and-forth for
>         // us, just pull out the token.
>         AuthenticatedURL.extractToken(conn, token);
>         return;
>       } else ...
> {code}
> The problem of the code above is that HTTP_OK does not implies authentication 
> completed.  We should check if the token can be extracted successfully.
> This problem was reported by [~bowenzhangusa] in [this 
> comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
>  earlier.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to