[ https://issues.apache.org/jira/browse/HADOOP-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13822436#comment-13822436 ]
Hudson commented on HADOOP-10078: --------------------------------- SUCCESS: Integrated in Hadoop-Hdfs-trunk #1582 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1582/]) HADOOP-10078. KerberosAuthenticator always does SPNEGO. (rkanter via tucu) (tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1541720) * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java * /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt > KerberosAuthenticator always does SPNEGO > ---------------------------------------- > > Key: HADOOP-10078 > URL: https://issues.apache.org/jira/browse/HADOOP-10078 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.0.3-alpha > Reporter: Robert Kanter > Assignee: Robert Kanter > Priority: Minor > Fix For: 2.2.1 > > Attachments: HADOOP-10078.patch > > > HADOOP-8883 made this change to {{KerberosAuthenticator}} > {code:java} > @@ -158,7 +158,7 @@ public class KerberosAuthenticator implements > Authenticator { > conn.setRequestMethod(AUTH_HTTP_METHOD); > conn.connect(); > > - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) { > + if (conn.getRequestProperty(AUTHORIZATION) != null && > conn.getResponseCode() == HttpURLConnection.HTTP_OK) { > LOG.debug("JDK performed authentication on our behalf."); > // If the JDK already did the SPNEGO back-and-forth for > // us, just pull out the token. > {code} > to fix OOZIE-1010. However, as [~aklochkov] pointed out recently, this > inadvertently made the if statement always false because it turns out that > the JDK excludes some headers, including the "Authorization" one that we're > checking (see discussion > [here|https://issues.apache.org/jira/browse/HADOOP-8883?focusedCommentId=13807596&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13807596]). > This means that it was always either calling {{doSpnegoSequence(token);}} > or {{getFallBackAuthenticator().authenticate(url, token);}}, which is > actually the old behavior that existed before HADOOP-8855 changed it in the > first place. > In any case, I tried removing the "Authorization" check and Oozie still works > with and without Kerberos; the NPE reported in OOZIE-1010 has since been > properly fixed due as a side effect for a similar issue in OOZIE-1368. -- This message was sent by Atlassian JIRA (v6.1#6144)