[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883046#comment-13883046
]
Daryn Sharp commented on HDFS-4564:
-----------------------------------
I was going to file separate patches, but splitting the patch will cause unit
test failures until all pieces are integrated. I can split it if you want.
I don't believe I saw a pro-active sending of the service ticket in the
tcpdumps. I'll go back and double check, but it's valid behavior per RFC4559:
{noformat}
4.2. The Authorization Request Header
[....]
A client may initiate a connection to the server with an
"Authorization" header containing the initial token for the server.
This form will bypass the initial 401 error from the server when the
client knows that the server will accept the Negotiate HTTP
authentication type.
{noformat}
I'm not sure what value AuthenticatedURL is adding though. It's supposed to
retry spnego if/after java fails spnego (401 + WWW-Authenticate: Negotiate).
That condition never occurs. Otherwise it falls back to the pseudo auth for
non-200 response, incorrectly assuming security is disabled, where java tries
spnego again and fails.
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4564.branch-23.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
