Haohui Mai created HADOOP-10453:
-----------------------------------
Summary: Do not use AuthenticatedURL in hadoop core
Key: HADOOP-10453
URL: https://issues.apache.org/jira/browse/HADOOP-10453
Project: Hadoop Common
Issue Type: Bug
Reporter: Haohui Mai
Priority: Blocker
As [~daryn] has suggested in HDFS-4564:
{quote}
AuthenticatedURL is not used because it is buggy in part to causing replay
attacks, double attempts to kerberos authenticate with the fallback
authenticator if the TGT is expired, incorrectly uses the fallback
authenticator (required by oozie servers) to add the username parameter which
webhdfs has already included in the uri.
AuthenticatedURL's attempt to do SPNEGO auth is a no-op because the JDK
transparently does SPNEGO when the user's Subject (UGI) contains kerberos
principals. Since AuthenticatedURL is now not used, webhdfs has to check the
TGT itself for token operations.
Bottom line is AuthenticatedURL is unnecessary and introduces nothing but
problems for webhdfs. It's only useful for oozie's anon/non-anon support.
{quote}
However, several functionalities that relies on SPNEGO in secure mode suffer
from the same problem. For example, NNs / JNs create HTTP connections to
exchange fsimage and edit logs. Currently all of them are through
{{AuthenticatedURL}}. This needs to be fixed to avoid security vulnerabilities.
This jira purposes to remove {{AuthenticatedURL}} from hadoop core and to move
it to oozie.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
