[
https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14203225#comment-14203225
]
Yongjun Zhang commented on HADOOP-10895:
----------------------------------------
Hi [~tucu00],
Many thanks for your comments. Had to work on a critical internal issue for
some time, so sorry for being late here.
About your second comment, I also think it's a good practice for all client
code to create an authenticator with the expected on/off setting and pass it to
AuthenticatedURL or DelegationTokenAuthenticatedURL's constructor. I actually
tried to enforce that all client must pass a valid authenticator in rev004. But
to be backward compatible, we moved on to rev007 now.
Currently KMSClientProvider uses constructor {{public
DelegationTokenAuthenticatedURL(ConnectionConfigurator connConfigurator)}} and
counts on DelegationTokenAuthenticatedURL to create a default authenticator of
type {{DelegationTokenAuthenticatedURL#DEFAULT_AUTHENTICATOR}}.
To address your comment #2, we need to create an authenticator in
KMSClientProvider. We need to know what type of authenticator to create. To be
backward compatible, it seems we should continue to use the type
{{DelegationTokenAuthenticatedURL#DEFAULT_AUTHENTICATOR}}, which is defaulted
to {{KerberosDelegationTokenAuthenticator.class}} and is resettable by client
code.
So to address your comment#1, we can replace the following code in
KMSClientProvider
{code}
public HttpURLConnection run() throws Exception {
DelegationTokenAuthenticatedURL authUrl =
new DelegationTokenAuthenticatedURL(configurator);
{code}
with
{code}
public HttpURLConnection run() throws Exception {
Class<? extends DelegationTokenAuthenticator> authType =
DelegationTokenAuthenticatedURL.getDefaultDelegationTokenAuthenticator();
DelegationTokenAuthenticator auth = (authType ==
KerberosDelegationTokenAuthenticator.class)?
new KerberosDelegationTokenAuthenticator(allowFallback) :
authType.newInstance();
DelegationTokenAuthenticatedURL authUrl =
new DelegationTokenAuthenticatedURL(auth, configurator);
{code}
Would you please confirm if this is what you are looking for?
Thanks a lot.
> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
> Key: HADOOP-10895
> URL: https://issues.apache.org/jira/browse/HADOOP-10895
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Yongjun Zhang
> Priority: Blocker
> Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch,
> HADOOP-10895.003.patch, HADOOP-10895.003v1.patch, HADOOP-10895.003v2.patch,
> HADOOP-10895.003v2improved.patch, HADOOP-10895.004.patch,
> HADOOP-10895.005.patch, HADOOP-10895.006.patch, HADOOP-10895.007.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the
> delegation token version coming in with HADOOP-10771 should have a flag to
> disable fallback to pseudo, similarly to the one that was introduced in
> Hadoop RPC client with HADOOP-9698.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
