[
https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14203501#comment-14203501
]
Yongjun Zhang commented on HADOOP-10895:
----------------------------------------
Hi [~tucu00],
The concern you raised in your comment #2 is that some code might mess with
the default fallback setting in the KerberosAuthenticator and cause unwanted
effect. I came up an alternative solution that I think would address this
concern without having to do the change described in my last comment. I just
uploaded rev 008, with your comment #1 addressed too.
That is, let KMSClientProvider remember the value of allowFallback specified in
the configuration file as a private boolean member when KMSClientProvider
object is constructed, and then refresh the KerberosAuthenticator's default
setting each time before KMSClientProvider object creates AuthenticatatedURL
object.
After all, our intention is that the default setting should be the same as
specified in the configuration file all the time after initialization. What we
are adding here is a protection in case some code accidentally changed the
setting.
BTW, as far as I can see, the only production code that has the need for this
change is KMSClientProvider, other similar places are in testing code. I think
it's ok for the other places to rely on setting the default fallback at
initialization time without refreshing, which would even help us to find any
culprit code that tries to mess with the default setting after initialization,
if error happens.
Would you please help take a look at rev 008?
Thanks a lot.
> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
> Key: HADOOP-10895
> URL: https://issues.apache.org/jira/browse/HADOOP-10895
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Yongjun Zhang
> Priority: Blocker
> Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch,
> HADOOP-10895.003.patch, HADOOP-10895.003v1.patch, HADOOP-10895.003v2.patch,
> HADOOP-10895.003v2improved.patch, HADOOP-10895.004.patch,
> HADOOP-10895.005.patch, HADOOP-10895.006.patch, HADOOP-10895.007.patch,
> HADOOP-10895.008.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the
> delegation token version coming in with HADOOP-10771 should have a flag to
> disable fallback to pseudo, similarly to the one that was introduced in
> Hadoop RPC client with HADOOP-9698.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
