Return-Path:
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id 4907B9840
for ;
Fri, 6 Apr 2012 13:02:39 +0000 (UTC)
Received: (qmail 33218 invoked by uid 500); 6 Apr 2012 13:02:37 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 33179 invoked by uid 500); 6 Apr 2012 13:02:37 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 33145 invoked by uid 99); 6 Apr 2012 13:02:37 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Apr 2012 13:02:37 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
tests=ALL_TRUSTED,T_RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Apr 2012 13:02:32 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
by hel.zones.apache.org (Postfix) with ESMTP id 7C40A35CD7A
for ; Fri, 6 Apr 2012 13:01:37 +0000 (UTC)
Date: Fri, 6 Apr 2012 13:01:37 +0000 (UTC)
From: "Hudson (Commented) (JIRA)"
To: common-issues@hadoop.apache.org
Message-ID:
<801949316.23207.1333717297552.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (HADOOP-8249) invalid hadoop-auth cookies should
trigger authentication if info is avail before returning HTTP 401
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
[ https://issues.apache.org/jira/browse/HADOOP-8249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13248310#comment-13248310 ]
Hudson commented on HADOOP-8249:
--------------------------------
Integrated in Hadoop-Hdfs-trunk #1006 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1006/])
HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)
Result = FAILURE
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
> invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401
> ----------------------------------------------------------------------------------------------------
>
> Key: HADOOP-8249
> URL: https://issues.apache.org/jira/browse/HADOOP-8249
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.1, 2.0.0
> Reporter: bc Wong
> Assignee: Alejandro Abdelnur
> Fix For: 2.0.0
>
> Attachments: HADOOP-8249.patch
>
>
> WebHdfs gives out cookies. But when the client passes them back, it'd sometimes reject them and return a HTTP 401 instead. ("Sometimes" as in after a restart.) The interesting thing is that if the client doesn't pass the cookie back, WebHdfs will be totally happy.
> The correct behaviour should be to ignore the cookie if it looks invalid, and attempt to proceed with the request handling.
> I haven't tried HttpFs to see whether it handles restart better.
> Reproducing it with curl:
> {noformat}
> ####################################################
> ## Initial curl. Storing cookie to file.
> ####################################################
> [root@vbox2 ~]# curl -c /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
> HTTP/1.1 200 OK
> Content-Type: application/json
> Expires: Thu, 01-Jan-1970 00:00:00 GMT
> Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614686366&s=z2w5xpFlufnnEoOHxVRiXqxwtqM=";Path=/
> Content-Length: 597
> Server: Jetty(6.1.26)
> {"FileStatuses":{"FileStatus":[
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
> ]}}
> ####################################################
> ## Another curl. Using the cookie jar.
> ####################################################
> [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
> HTTP/1.1 200 OK
> Content-Type: application/json
> Content-Length: 597
> Server: Jetty(6.1.26)
> {"FileStatuses":{"FileStatus":[
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
> ]}}
> ####################################################
> ## Restart NN.
> ####################################################
> [root@vbox2 ~]# /etc/init.d/hadoop-hdfs-namenode restartStopping Hadoop namenode: [ OK ]
> stopping namenode
> Starting Hadoop namenode: [ OK ]
> starting namenode, logging to /var/log/hadoop-hdfs/hadoop-hdfs-namenode-vbox2.out
> ####################################################
> ## Curl using cookie jar gives error.
> ####################################################
> [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
> HTTP/1.1 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature
> Content-Type: text/html; charset=iso-8859-1
> Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Length: 1520
> Server: Jetty(6.1.26)
>
>
>
> Error 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature
>
> HTTP ERROR 401
> Problem accessing /webhdfs/v1/. Reason:
>
org.apache.hadoop.security.authentication.util.SignerException: Invalid signature
Powered by Jetty://
> ...
> ####################################################
> ## Curl without cookie jar is ok.
> ####################################################
> [root@vbox2 ~]# curl -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
> HTTP/1.1 200 OK
> Content-Type: application/json
> Expires: Thu, 01-Jan-1970 00:00:00 GMT
> Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614995947&s=IXSvPIDbNrqmZryivGeoey6Kjwo=";Path=/
> Content-Length: 597
> Server: Jetty(6.1.26)
> {"FileStatuses":{"FileStatus":[
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
> {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
> ]}}
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira