[
https://issues.apache.org/jira/browse/HADOOP-10398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13940749#comment-13940749
]
Robert Kanter commented on HADOOP-10398:
----------------------------------------
I agree with [~daryn]: we shouldn't revert HADOOP-10078. That basically just
throws away the first if statement by making it always false. I don't think
this is a high enough priority to warrant an immediate work-around, it requires
a very specific set of options that aren't the default. We should try to fix
this properly.
Going back to what [~bowenzhangusa] said earlier, the command you ran was
{{bin/oozie -Doozie.auth.token.cache=false job -oozie
http://localhost:11000/oozie -kill 0000000-140314142500148-oozie-bzha-W}}. As
[~daryn] pointed out, the trace shows the user is anonymous. If
{{oozie.service.AuthorizationService.security.enabled}} is true, then it should
be blocking anonymous users from killing the job because that job was
(presumably) started by a different user who is not anonymous; so in that
sense, the behavior is correct.
It seems wrong that the user is anonymous; any idea why? It should pick up the
user who is running that kill command.
What happens when you don't set the cache to false?
> KerberosAuthenticator failed to fall back to PseudoAuthenticator after
> HADOOP-10078
> -----------------------------------------------------------------------------------
>
> Key: HADOOP-10398
> URL: https://issues.apache.org/jira/browse/HADOOP-10398
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Tsz Wo Nicholas Sze
> Assignee: Tsz Wo Nicholas Sze
> Attachments: a.txt, c10398_20140310.patch
>
>
> {code}
> //KerberosAuthenticator.java
> if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
> LOG.debug("JDK performed authentication on our behalf.");
> // If the JDK already did the SPNEGO back-and-forth for
> // us, just pull out the token.
> AuthenticatedURL.extractToken(conn, token);
> return;
> } else ...
> {code}
> The problem of the code above is that HTTP_OK does not implies authentication
> completed. We should check if the token can be extracted successfully.
> This problem was reported by [~bowenzhangusa] in [this
> comment|https://issues.apache.org/jira/browse/HADOOP-10078?focusedCommentId=13896823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13896823]
> earlier.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
