Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/13918 )
Change subject: IMPALA-8783: Add Kerberos SPNEGO support to the http hs2 server ...................................................................... Patch Set 3: (2 comments) http://gerrit.cloudera.org:8080/#/c/13918/1/be/src/transport/THttpServer.cpp File be/src/transport/THttpServer.cpp: http://gerrit.cloudera.org:8080/#/c/13918/1/be/src/transport/THttpServer.cpp@187 PS1, Line 187: bool is_complete; Similar question to the earlier comment -- isn't it possible for SpnegoStep to return "OK" but not "complete"? In that case, it would be responding with a token, and you'd want to be sending the token back with the Unauthorized response? http://gerrit.cloudera.org:8080/#/c/13918/3/be/src/transport/THttpServer.cpp File be/src/transport/THttpServer.cpp: http://gerrit.cloudera.org:8080/#/c/13918/3/be/src/transport/THttpServer.cpp@199 PS3, Line 199: call the auth function with an empty string to allow them to : // generate return headers. shouldn't they have generated the return header from the bad token? ie i htink the SPNEGO spec includes the possibility of a multi-step authentication, where the client sends a token, the server responds with a different token (but not authorized). Is that not the case? -- To view, visit http://gerrit.cloudera.org:8080/13918 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I15d9a842ab37ebc34b9fde5917137ff2961d870a Gerrit-Change-Number: 13918 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall <tmarsh...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Thomas Tauber-Marshall <tmarsh...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-Comment-Date: Fri, 26 Jul 2019 20:39:50 +0000 Gerrit-HasComments: Yes
