From 3b1b53b1caf22b11c84192846926cdd51aced929 Mon Sep 17 00:00:00 2001
From: zeekling <lingzhaohui@zeekling.cn>
Date: Sat, 21 Sep 2024 00:23:15 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E8=AE=A4=E8=AF=81=E7=9B=B8?=
 =?UTF-8?q?=E5=85=B3=E6=B3=A8=E9=87=8A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../server/KerberosAuthenticationHandler.java               | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
index 703842f3e3..7365e1ebb4 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
@@ -307,6 +307,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
     }
 
     AuthenticationToken token = null;
+    // 从请求头里面获取Token。
     String authorization = request.getHeader(
         KerberosAuthenticator.AUTHORIZATION);
 
@@ -322,6 +323,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
             KerberosAuthenticator.NEGOTIATE + "' :  {}", authorization);
       }
     } else {
+      // token必须以NEGOTIATE开头。
       authorization = authorization.substring(
           KerberosAuthenticator.NEGOTIATE.length()).trim();
       final Base64 base64 = new Base64(0);
@@ -329,6 +331,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
       try {
         final String serverPrincipal =
             KerberosUtil.getTokenServerName(clientToken);
+        // 客户端的token必须包含HTTP/
         if (!serverPrincipal.startsWith("HTTP/")) {
           throw new IllegalArgumentException(
               "Invalid server principal " + serverPrincipal +
@@ -338,6 +341,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
             new PrivilegedExceptionAction<AuthenticationToken>() {
               @Override
               public AuthenticationToken run() throws Exception {
+                // 开始校验token
                 return runWithPrincipal(serverPrincipal, clientToken,
                       base64, response);
               }
@@ -381,9 +385,11 @@ private AuthenticationToken runWithPrincipal(String serverPrincipal,
                            authenticate);
       }
       if (!gssContext.isEstablished()) {
+        // 认证过程中。可能需要多次交换Token
         response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
         LOG.trace("SPNEGO in progress");
       } else {
+        // 认证完成。
         String clientPrincipal = gssContext.getSrcName().toString();
         KerberosName kerberosName = new KerberosName(clientPrincipal);
         String userName = kerberosName.getShortName();