You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2014/11/01 01:38:34 UTC
[jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator
fallback should have a flag to disable it
[ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14192826#comment-14192826 ]
Robert Kanter commented on HADOOP-10895:
----------------------------------------
I took a closer look and had a few comments:
# In {{TestPseudoAuthenticator}}, you don't need to change the fallback to {{true}}. The {{PseudoAuthenticator}} can't actually fallback (in fact, the setter doesn't do anything).
# It looks like most of the tests enable the fallback behavior. If the default is going to be not to fallback, I think the tests should be updated to not require falling back (unless the test is specifically testing something that requires fallback to be enabled).
# Can you add a test that verifies that you can't fallback when it's disabled?
# Setting "ipc.client.fallback-to-simple-auth-allowed" is only going to work for the KMS. If I want to create a {{KerberosAuthenticator}} that allows fallback, I have to call the {{setAllowDefaultAuthToFallbackToPseudo}} method. However, once I add that call, if I also wanted to allow my code to be compiled against a previous version of Hadoop, it won't compile now. The nice thing about having a property config to enable/disable this is that it doesn't breaking compiling. In other words, it would be nice if I could set a property config to enable the fallback: this would allow the fallback going forward but still allow the code to work with earlier Hadoop versions (they would just ignore the property).
> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
> Key: HADOOP-10895
> URL: https://issues.apache.org/jira/browse/HADOOP-10895
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Yongjun Zhang
> Priority: Blocker
> Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly to the one that was introduced in Hadoop RPC client with HADOOP-9698.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)