Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10453

Do not use AuthenticatedURL in hadoop core

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      As Daryn Sharp has suggested in HDFS-4564:

      AuthenticatedURL is not used because it is buggy in part to causing replay attacks, double attempts to kerberos authenticate with the fallback authenticator if the TGT is expired, incorrectly uses the fallback authenticator (required by oozie servers) to add the username parameter which webhdfs has already included in the uri.

      AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK transparently does SPNEGO when the user's Subject (UGI) contains kerberos principals. Since AuthenticatedURL is now not used, webhdfs has to check the TGT itself for token operations.
      Bottom line is AuthenticatedURL is unnecessary and introduces nothing but problems for webhdfs. It's only useful for oozie's anon/non-anon support.

      However, several functionalities that relies on SPNEGO in secure mode suffer from the same problem. For example, NNs / JNs create HTTP connections to exchange fsimage and edit logs. Currently all of them are through AuthenticatedURL. This needs to be fixed to avoid security vulnerabilities.

      This jira purposes to remove AuthenticatedURL from hadoop core and to move it to oozie.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                wheat9 Haohui Mai
              • Votes:
                0 Vote for this issue
                Watchers:
                18 Start watching this issue

                Dates

                • Created:
                  Updated: