Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10078

KerberosAuthenticator always does SPNEGO

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.0.3-alpha
    • 2.3.0
    • security
    • None
    • Reviewed

    Description

      HADOOP-8883 made this change to KerberosAuthenticator

      @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator {
       conn.setRequestMethod(AUTH_HTTP_METHOD);
       conn.connect();
       
-      if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
+      if (conn.getRequestProperty(AUTHORIZATION) != null && conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
         LOG.debug("JDK performed authentication on our behalf.");
         // If the JDK already did the SPNEGO back-and-forth for
         // us, just pull out the token.

      to fix OOZIE-1010. However, as aklochkov pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the "Authorization" one that we're checking (see discussion here). This means that it was always either calling doSpnegoSequence(token); or getFallBackAuthenticator().authenticate(url, token);, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place.

      In any case, I tried removing the "Authorization" check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368.

      Attachments

        1. HADOOP-10078.patch
          2 kB
          Robert Kanter

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-10398 KerberosAuthenticator failed to fall back to PseudoAuthenticator after HADOOP-10078

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OOZIE-2315 TestOozieCLI.testshareLibUpdate_withSecurity fails with Hadoop 2

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OOZIE-800 Job start/kill gives authorization error

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OOZIE-1010 Oozie CLI throws an NPE with Hadoop trunk with simple auth

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-8883 Anonymous fallback in KerberosAuthenticator is broken

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. OOZIE-1368 Error message when using an incorrect oozie url with kerberos is misleading

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-8855 SSL-based image transfer does not work when Kerberos is disabled

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-11467 KerberosAuthenticator can connect to a non-secure cluster

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              rkanter Robert Kanter
              rkanter Robert Kanter
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: