[
https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14193743#comment-14193743
]
Yongjun Zhang commented on HADOOP-10895:
----------------------------------------
HI [~rkanter] and [~hitliuyi],
Thanks a lot for your earlier review and comments. I uploaded rev 004 to
address them.
{quote}
In TestPseudoAuthenticator, you don't need to change the fallback to true.
{quote}
Done.
{quote}
It looks like most of the tests enable the fallback behavior. If the default is
going to be not to fallback, I think the tests should be updated to not require
falling back (unless the test is specifically testing something that requires
fallback to be enabled).
{quote}
Indeed quite some existing testcases count on the fallback behaviour. Enabling
the config property make them to pass. So this indicates that the old behaviour
is not broken as long as we enable the config property. I agree that we should
have some tests that don't count on the fallback, however, I expect there
should be some tests like that already (those I don't have to fix because they
succeeded without fallback), because the fallback is just a fallback after all.
I will probably dig some more to find some of those tests out.
{quote}
Can you add a test that verifies that you can't fallback when it's disabled?
{quote}
Added
{code}
@Test(expected=AuthenticationException.class)
public void testDisallowFallbacktoPseudoAuthenticatorFail()
{code}
{quote}
Setting "ipc.client.fallback-to-simple-auth-allowed"...
{quote}
In the new rev I made it a requirement to pass the default authenticator to the
constructor of AuthenticatedURL, because it's not easy to pass the config
property to the old default authenticator implemented in AuthenicatedURL. I
hope this can work better.
Thanks for taking further look at the new rev.
> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
> Key: HADOOP-10895
> URL: https://issues.apache.org/jira/browse/HADOOP-10895
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Yongjun Zhang
> Priority: Blocker
> Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch,
> HADOOP-10895.003.patch, HADOOP-10895.004.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the
> delegation token version coming in with HADOOP-10771 should have a flag to
> disable fallback to pseudo, similarly to the one that was introduced in
> Hadoop RPC client with HADOOP-9698.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
