Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10895

HTTP KerberosAuthenticator fallback should have a flag to disable it

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 2.4.1
    • None
    • security
    • None
    • Incompatible change
    • Hide
      Prior to this fix, the fallback from kerberos authenticator to pseudo authenticator is enabled as hardcoded. After the fix, the fallback is disabled by default, and user need to set configuration property "ipc.client.fallback-to-simple-auth-allowed" to "true" to enable it. Application may also call KerberosAuthenticator.setAllowFallbackToPseudoAuthDefault(true) at initialization time to change the default to true, or uses the non-default constructors of KerberosAuthenticator and KerberosDelegationTokenAuthenticator to change the per-authenticator setting.
      Show
      Prior to this fix, the fallback from kerberos authenticator to pseudo authenticator is enabled as hardcoded. After the fix, the fallback is disabled by default, and user need to set configuration property "ipc.client.fallback-to-simple-auth-allowed" to "true" to enable it. Application may also call KerberosAuthenticator.setAllowFallbackToPseudoAuthDefault(true) at initialization time to change the default to true, or uses the non-default constructors of KerberosAuthenticator and KerberosDelegationTokenAuthenticator to change the per-authenticator setting.

    Description

      Per review feedback in HADOOP-10771, KerberosAuthenticator and the delegation token version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly to the one that was introduced in Hadoop RPC client with HADOOP-9698.

      Attachments

        1. HADOOP-10895.001.patch
          41 kB
          Yongjun Zhang
        2. HADOOP-10895.002.patch
          41 kB
          Yongjun Zhang
        3. HADOOP-10895.003.patch
          51 kB
          Yongjun Zhang
        4. HADOOP-10895.003v1.patch
          49 kB
          Yongjun Zhang
        5. HADOOP-10895.003v2.patch
          52 kB
          Yongjun Zhang
        6. HADOOP-10895.003v2improved.patch
          49 kB
          Yongjun Zhang
        7. HADOOP-10895.004.patch
          65 kB
          Yongjun Zhang
        8. HADOOP-10895.005.patch
          43 kB
          Yongjun Zhang
        9. HADOOP-10895.006.patch
          52 kB
          Yongjun Zhang
        10. HADOOP-10895.007.patch
          49 kB
          Yongjun Zhang
        11. HADOOP-10895.008.patch
          53 kB
          Yongjun Zhang
        12. HADOOP-10895.009.patch
          53 kB
          Yongjun Zhang

        Issue Links

          is depended upon by

          Bug - A problem which impairs or prevents the functions of the product. SQOOP-1772 Sqoop2: Logically discern between kerberos and simple auth handling

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-11467 KerberosAuthenticator can connect to a non-secure cluster

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Unassigned Unassigned
              tucu00 Alejandro Abdelnur
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated: