[jira] [Comment Edited] (HADOOP-13228) Add delegation token to the connection in DelegationTokenAuthenticator

["Xiao Chen (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HADOOP-13228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15309009#comment-15309009 ] 

Xiao Chen edited comment on HADOOP-13228 at 6/1/16 1:20 AM:
------------------------------------------------------------

Fix:
As talked with [~andrew.wang], given that the querystring is deprecated, we don't need to support it in newly added functionalities. Hence, I simply put up the fix to always put the DT to the request header, when conducting the 3 (get/renew/cancel) DT ops. The fix here is in {{DelegationTokenAuthenticator}} because that's where the connection is created.

Test:
- Seems to me {{TestWebDelegationToken}} is the best place to test this. (HADOOP-13155 will also test this from an end-to-end POV.)
- {{TestWebDelegationToken}} currently creates a bunch of fake classes to test. To keep the change minimal, I added a new test for using DT, and added the verification logic to the fake server classes.
- Existing tests pass because 1) when authToken is valid, no DT logic is triggered. 2) When there's no DT, they fall back to the underlying auth handler, which is again faked.
- I added a {{verifyHeader}} flag to control whether to check the request header or not. This is because if we have an auth token, we don't care about DT anymore. (So all existing tests don't need to verify header). If this is not acceptable, I think we can also create a new DTAuthHandler stab for verifying this.
- Added a log in DTAuthHandler, which I think is super helpful for debugging this.


was (Author: xiaochen):
Fix:
As talked with [~andrew.wang], given that the querystring is deprecated, we don't need to support it in newly added functionalities. Hence, I simply put up the fix to always put the DT to the request header, when conducting the 3 (get/renew/cancel) DT ops. The fix here is in {{DelegationTokenAuthenticator}} because that's where the connection is created.

Test:
- Seems to me {{TestWebDelegationToken}} is the best place to test this. (HADOOP-13155 will also test this from an end-to-end POV.
- {{TestWebDelegationToken}} currently creates a bunch of fake classes to test. To keep the change minimal, I added a new test for using DT, and added the verification logic to the fake server classes.
- Existing tests pass because when there's no DT, they fall back to the underlying auth handler, which is again faked.
- I added a {{verifyHeader}} flag to control whether to check the request header or not. This is because if we have an auth token, we don't care about DT anymore. (So all existing tests don't need to verify header). If this is not acceptable, I think we can also create a new DTAuthHandler stab for verifying this.
- Added a log in DTAuthHandler, which I think is super helpful for debugging this.

> Add delegation token to the connection in DelegationTokenAuthenticator
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-13228
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13228
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13228.01.patch
>
>
> Following [a comment from another jira|https://issues.apache.org/jira/browse/HADOOP-13155?focusedCommentId=15308715&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15308715], create this to specifically handle the delegation token renewal/cancellation bug in {{DelegationTokenAuthenticatedURL}} and {{DelegationTokenAuthenticator}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org