hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-14327) KerberosAuthenticationHandler#authenticate throws meaningless exception with empty server principals
Date Wed, 19 Apr 2017 18:51:42 GMT
Wei-Chiu Chuang created HADOOP-14327:
----------------------------------------

             Summary: KerberosAuthenticationHandler#authenticate throws meaningless exception
with empty server principals
                 Key: HADOOP-14327
                 URL: https://issues.apache.org/jira/browse/HADOOP-14327
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 3.0.0-alpha2
            Reporter: Wei-Chiu Chuang
            Priority: Minor


If somehow KerberosAuthenticationHandler#authenticate gets an empty service principal set,
it throws a useless exception like the following:

{noformat}
2017-04-19 10:11:39,812 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter:
Authentication exception: org.apache.hadoop.security.authentication.client.AuthenticationExceptio
n
org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.client.AuthenticationException
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:452)
        at org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler.authenticate(MultiSchemeAuthenticationHandler.java:193)
        at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:400)
        at org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler.authenticate(MultiSchemeDelegationTokenAuthenticationHandler.java:180)
        at org.apache.solr.security.RequestContinuesRecorderAuthenticationHandler.authenticate(RequestContinuesRecorderAuthenticationHandler.java:69)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:532)
{noformat}

The following code has a logic error. If serverPrincipals is empty, token remains null in
the end, but lastException is also null too, so throwing it is meaningless. It should throw
with a more meaningful message.
{code:title=KerberosAuthenticationHandler#authenticate}
                AuthenticationToken token = null;
                Exception lastException = null;
                for (String serverPrincipal : serverPrincipals) {
                  try {
                    token = runWithPrincipal(serverPrincipal, clientToken,
                        base64, response);
                  } catch (Exception ex) {
                    lastException = ex;
                    LOG.trace("Auth {} failed with {}", serverPrincipal, ex);
                  } finally {
                      if (token != null) {
                        LOG.trace("Auth {} successfully", serverPrincipal);
                        break;
                    }
                  }
                }
                if (token != null) {
                  return token;
                } else {
                  throw new AuthenticationException(lastException);
                }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org


Mime
View raw message