[jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it

Mon, 03 Nov 2014 10:10:19 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194809#comment-14194809
 ] 

Yongjun Zhang commented on HADOOP-10895:
----------------------------------------

HI [~tucu00],

Thanks a lot for your input. The problem is that {{AuthenticatedURL}} creates 
authenticator when client code doesn't pass one, 
{code}
public AuthenticatedURL(Authenticator authenticator, ConnectionConfigurator 
connConfigurator) {
    try {
      if (authenticator != null) {
        this.authenticator = authenticator;
      } else {
        // use default authenticator
        this.authenticator = DEFAULT_AUTHENTICATOR.newInstance(); <== this is 
where the default authenticator is created
     }
  ...
{code}

we somehow need to let AuthenticatedURL know whether to create an authenticator 
that allows fallback or not. Certainly this is relevant only when the 
authenticator is KerberosAuthenticator. Since user is allowed to set the 
default authenticator type, and {{AuthenticatedURL}} doesn't really care what 
authenticator type it is creating.

Are you suggesting that we can change AuthenticatedURL to not create 
authenticator in the above code, and instead, to retrieve the static version 
from the corresponding authenticator class?  I can make this change to 
{{AuthenticatedURL}}, I wonder whether there is any compatibility concern of 
doing so?

Thanks.
 

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, 
> HADOOP-10895.003.patch, HADOOP-10895.004.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the 
> delegation token version coming in with HADOOP-10771 should have a flag to 
> disable fallback to pseudo, similarly to the one that was introduced in 
> Hadoop RPC client with HADOOP-9698.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to