[ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14192826#comment-14192826 ]
Robert Kanter commented on HADOOP-10895: ---------------------------------------- I took a closer look and had a few comments: # In {{TestPseudoAuthenticator}}, you don't need to change the fallback to {{true}}. The {{PseudoAuthenticator}} can't actually fallback (in fact, the setter doesn't do anything). # It looks like most of the tests enable the fallback behavior. If the default is going to be not to fallback, I think the tests should be updated to not require falling back (unless the test is specifically testing something that requires fallback to be enabled). # Can you add a test that verifies that you can't fallback when it's disabled? # Setting "ipc.client.fallback-to-simple-auth-allowed" is only going to work for the KMS. If I want to create a {{KerberosAuthenticator}} that allows fallback, I have to call the {{setAllowDefaultAuthToFallbackToPseudo}} method. However, once I add that call, if I also wanted to allow my code to be compiled against a previous version of Hadoop, it won't compile now. The nice thing about having a property config to enable/disable this is that it doesn't breaking compiling. In other words, it would be nice if I could set a property config to enable the fallback: this would allow the fallback going forward but still allow the code to work with earlier Hadoop versions (they would just ignore the property). > HTTP KerberosAuthenticator fallback should have a flag to disable it > -------------------------------------------------------------------- > > Key: HADOOP-10895 > URL: https://issues.apache.org/jira/browse/HADOOP-10895 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.4.1 > Reporter: Alejandro Abdelnur > Assignee: Yongjun Zhang > Priority: Blocker > Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, > HADOOP-10895.003.patch > > > Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the > delegation token version coming in with HADOOP-10771 should have a flag to > disable fallback to pseudo, similarly to the one that was introduced in > Hadoop RPC client with HADOOP-9698. -- This message was sent by Atlassian JIRA (v6.3.4#6332)