Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10078

KerberosAuthenticator always does SPNEGO

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.3-alpha
    • Fix Version/s: 2.3.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      HADOOP-8883 made this change to KerberosAuthenticator

      @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements Authenticator {
             conn.setRequestMethod(AUTH_HTTP_METHOD);
             conn.connect();
             
      -      if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
      +      if (conn.getRequestProperty(AUTHORIZATION) != null && conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
               LOG.debug("JDK performed authentication on our behalf.");
               // If the JDK already did the SPNEGO back-and-forth for
               // us, just pull out the token.
      

      to fix OOZIE-1010. However, as Andrey Klochkov pointed out recently, this inadvertently made the if statement always false because it turns out that the JDK excludes some headers, including the "Authorization" one that we're checking (see discussion here). This means that it was always either calling doSpnegoSequence(token); or getFallBackAuthenticator().authenticate(url, token);, which is actually the old behavior that existed before HADOOP-8855 changed it in the first place.

      In any case, I tried removing the "Authorization" check and Oozie still works with and without Kerberos; the NPE reported in OOZIE-1010 has since been properly fixed due as a side effect for a similar issue in OOZIE-1368.

        Attachments

        1. HADOOP-10078.patch
          2 kB
          Robert Kanter

          Issue Links

            Activity

              People

              • Assignee:
                rkanter Robert Kanter
                Reporter:
                rkanter Robert Kanter
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: