You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2014/11/01 01:38:34 UTC

[jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14192826#comment-14192826 ] 

Robert Kanter commented on HADOOP-10895:
----------------------------------------

I took a closer look and had a few comments:
# In {{TestPseudoAuthenticator}}, you don't need to change the fallback to {{true}}.  The {{PseudoAuthenticator}} can't actually fallback (in fact, the setter doesn't do anything).
# It looks like most of the tests enable the fallback behavior.  If the default is going to be not to fallback, I think the tests should be updated to not require falling back (unless the test is specifically testing something that requires fallback to be enabled).
# Can you add a test that verifies that you can't fallback when it's disabled?
# Setting "ipc.client.fallback-to-simple-auth-allowed" is only going to work for the KMS.  If I want to create a {{KerberosAuthenticator}} that allows fallback, I have to call the {{setAllowDefaultAuthToFallbackToPseudo}} method.  However, once I add that call, if I also wanted to allow my code to be compiled against a previous version of Hadoop, it won't compile now.  The nice thing about having a property config to enable/disable this is that it doesn't breaking compiling.  In other words, it would be nice if I could set a property config to enable the fallback: this would allow the fallback going forward but still allow the code to work with earlier Hadoop versions (they would just ignore the property).

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly to the one that was introduced in Hadoop RPC client with HADOOP-9698.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)