Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11467

KerberosAuthenticator can connect to a non-secure cluster

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.6.0
    • 2.7.0
    • security
    • None
    • Reviewed

    Description

      While looking at HADOOP-10895, we discovered that the KerberosAuthenticator can authenticate with a non-secure cluster, even without falling back.

      The problematic code is here:

            if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {    // <----- A
              LOG.debug("JDK performed authentication on our behalf.");
              // If the JDK already did the SPNEGO back-and-forth for
              // us, just pull out the token.
              AuthenticatedURL.extractToken(conn, token);
              return;
            } else if (isNegotiate()) {                                   // <----- B
              LOG.debug("Performing our own SPNEGO sequence.");
              doSpnegoSequence(token);
            } else {                                                      // <----- C
              LOG.debug("Using fallback authenticator sequence.");
              Authenticator auth = getFallBackAuthenticator();
              // Make sure that the fall back authenticator have the same
              // ConnectionConfigurator, since the method might be overridden.
              // Otherwise the fall back authenticator might not have the information
              // to make the connection (e.g., SSL certificates)
              auth.setConnectionConfigurator(connConfigurator);
              auth.authenticate(url, token);
            }
          }
      

      Sometimes the JVM does the SPNEGO for us, and path A is used. However, if the KerberosAuthenticator tries to talk to a non-secure cluster, path A also succeeds in this case.
      More details can be found in this comment:
      https://issues.apache.org/jira/browse/HADOOP-10895?focusedCommentId=14247476&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14247476

      We've actually dealt with this before. HADOOP-8883 tried to fix a related problem by adding another condition to path A that would look for a header. However, the JVM hides this header, making path A never occur. We reverted this change in HADOOP-10078, and didn't realize that there was still a problem until now.

      Attachments

        1. HADOOP-11467.004.patch
          25 kB
          Yongjun Zhang
        2. HADOOP-11467.003.patch
          21 kB
          Yongjun Zhang
        3. HADOOP-11467.002.patch
          25 kB
          Yongjun Zhang
        4. HADOOP-11467.001.patch
          16 kB
          Yongjun Zhang

        Issue Links

          Activity

            People

              yzhangal Yongjun Zhang
              rkanter Robert Kanter
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: