Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10453

Do not use AuthenticatedURL in hadoop core



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None


      As daryn has suggested in HDFS-4564:

      AuthenticatedURL is not used because it is buggy in part to causing replay attacks, double attempts to kerberos authenticate with the fallback authenticator if the TGT is expired, incorrectly uses the fallback authenticator (required by oozie servers) to add the username parameter which webhdfs has already included in the uri.

      AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK transparently does SPNEGO when the user's Subject (UGI) contains kerberos principals. Since AuthenticatedURL is now not used, webhdfs has to check the TGT itself for token operations.
      Bottom line is AuthenticatedURL is unnecessary and introduces nothing but problems for webhdfs. It's only useful for oozie's anon/non-anon support.

      However, several functionalities that relies on SPNEGO in secure mode suffer from the same problem. For example, NNs / JNs create HTTP connections to exchange fsimage and edit logs. Currently all of them are through AuthenticatedURL. This needs to be fixed to avoid security vulnerabilities.

      This jira purposes to remove AuthenticatedURL from hadoop core and to move it to oozie.


        Issue Links



              Unassigned Unassigned
              wheat9 Haohui Mai
              0 Vote for this issue
              18 Start watching this issue