[ https://issues.apache.org/jira/browse/HADOOP-8249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alejandro Abdelnur reopened HADOOP-8249: ---------------------------------------- we need backport for hadoop 1 > invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 > ---------------------------------------------------------------------------------------------------- > > Key: HADOOP-8249 > URL: https://issues.apache.org/jira/browse/HADOOP-8249 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 0.23.1, 2.0.0 > Reporter: bc Wong > Assignee: Alejandro Abdelnur > Fix For: 2.0.0 > > Attachments: HADOOP-8249.patch, HDFS-3198_branch-1.patch > > > WebHdfs gives out cookies. But when the client passes them back, it'd sometimes reject them and return a HTTP 401 instead. ("Sometimes" as in after a restart.) The interesting thing is that if the client doesn't pass the cookie back, WebHdfs will be totally happy. > The correct behaviour should be to ignore the cookie if it looks invalid, and attempt to proceed with the request handling. > I haven't tried HttpFs to see whether it handles restart better. > Reproducing it with curl: > {noformat} > #################################################### > ## Initial curl. Storing cookie to file. > #################################################### > [root@vbox2 ~]# curl -c /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus' > HTTP/1.1 200 OK > Content-Type: application/json > Expires: Thu, 01-Jan-1970 00:00:00 GMT > Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614686366&s=z2w5xpFlufnnEoOHxVRiXqxwtqM=";Path=/ > Content-Length: 597 > Server: Jetty(6.1.26) > {"FileStatuses":{"FileStatus":[ > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"}, > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"}, > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"} > ]}} > #################################################### > ## Another curl. Using the cookie jar. > #################################################### > [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus' > HTTP/1.1 200 OK > Content-Type: application/json > Content-Length: 597 > Server: Jetty(6.1.26) > {"FileStatuses":{"FileStatus":[ > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"}, > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"}, > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"} > ]}} > #################################################### > ## Restart NN. > #################################################### > [root@vbox2 ~]# /etc/init.d/hadoop-hdfs-namenode restartStopping Hadoop namenode: [ OK ] > stopping namenode > Starting Hadoop namenode: [ OK ] > starting namenode, logging to /var/log/hadoop-hdfs/hadoop-hdfs-namenode-vbox2.out > #################################################### > ## Curl using cookie jar gives error. > #################################################### > [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus' > HTTP/1.1 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature > Content-Type: text/html; charset=iso-8859-1 > Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT > Cache-Control: must-revalidate,no-cache,no-store > Content-Length: 1520 > Server: Jetty(6.1.26) > > > > Error 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature > >

HTTP ERROR 401

>

Problem accessing /webhdfs/v1/. Reason: >

    org.apache.hadoop.security.authentication.util.SignerException: Invalid signature


Powered by Jetty://
> ... > #################################################### > ## Curl without cookie jar is ok. > #################################################### > [root@vbox2 ~]# curl -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus' > HTTP/1.1 200 OK > Content-Type: application/json > Expires: Thu, 01-Jan-1970 00:00:00 GMT > Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614995947&s=IXSvPIDbNrqmZryivGeoey6Kjwo=";Path=/ > Content-Length: 597 > Server: Jetty(6.1.26) > {"FileStatuses":{"FileStatus":[ > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"}, > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"}, > {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"} > ]}} > {noformat} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira