[jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it

Mon, 03 Nov 2014 08:44:10 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194710#comment-14194710
 ] 

Yongjun Zhang commented on HADOOP-10895:
----------------------------------------

A further thought, we are not removing pre-existing DEFAULT_AUTHENTICATOR 
related interface to be safe, 

* rev3 approach is to have a static boolean member in AuthenticatedURL to 
remember whether fallback is supported (set by method 
{{AuthenticatedURL#setAllowDefaultAuthToFallbackToPseudo}}), and apply it when 
creating an authenticator if the client doesn't pass one. The authenticator 
created here is dynamic instead of static.

*the suggested change is to create a static authenticator when 
{{AuthenticatedURL#setAllowDefaultAuthToFallbackToPseudo}} is called. A static 
authenticator of type DEFAULT_AUTHENTICATOR is created here. Notice that when 
{{AuthenticatedURL#setDefaultAuthenticator}} is called, the value of 
DEFAULT_AUTHENTICATOR is reset, so we need to create the static authenticator 
object again even if it was created  already.

So the new suggested change is essentially the same as rev3 from client side 
point of view.  The difference is when to create the object and whether we 
create dynamic or static default authenticator object, which is transparent to 
client. 

Thanks.



> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, 
> HADOOP-10895.003.patch, HADOOP-10895.004.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the 
> delegation token version coming in with HADOOP-10771 should have a flag to 
> disable fallback to pseudo, similarly to the one that was introduced in 
> Hadoop RPC client with HADOOP-9698.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to