Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10078

KerberosAuthenticator always does SPNEGO

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.0.3-alpha
    • 2.3.0
    • security
    • None
    • Reviewed

    Description

      HADOOP-8883 made this change to KerberosAuthenticator

      @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator {
             conn.setRequestMethod(AUTH_HTTP_METHOD);
             conn.connect();
             
      -      if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
      +      if (conn.getRequestProperty(AUTHORIZATION) != null && conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
               LOG.debug("JDK performed authentication on our behalf.");
               // If the JDK already did the SPNEGO back-and-forth for
               // us, just pull out the token.
      

      to fix OOZIE-1010. However, as Andrey Klochkov pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the "Authorization" one that we're checking (see discussion here). This means that it was always either calling doSpnegoSequence(token); or getFallBackAuthenticator().authenticate(url, token);, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place.

      In any case, I tried removing the "Authorization" check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368.

      Attachments

        1. HADOOP-10078.patch
          2 kB
          Robert Kanter

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rkanter Robert Kanter
            rkanter Robert Kanter
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Issue deployment