hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Moritz Moeller (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8830) org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
Date Fri, 15 Mar 2013 15:12:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13603444#comment-13603444
] 

Moritz Moeller commented on HADOOP-8830:
----------------------------------------

No, it looks as if org.apache.hadoop.security.authentication.server.AuthenticationFilter is
added twice to the jetty filter chain configuration.
As soon as the authentication succeeds and the AuthenticationFilter calls filterChain.doFilter,
the AuthenticationFilter is called again. Stack trace looks like this:

org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:356)
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:356)
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
org.apache.hadoop.http.HttpServer$QuotingInputFilter.doFilter(HttpServer.java:1075)

The NoCacheFilter servlet is also called twice, but that is probably because it is added both
in the constructor and in addDefaultApps in org.apache.hadoop.http.HttpServer.

Right now (using CDH 4.2.0) i still have to patch the AuthenticationFilter to directly call
filterChain.doFilter;return if the filter was already called before.



                
> org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called
twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8830
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8830
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.1-alpha
>            Reporter: Moritz Moeller
>
> AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
> The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser()
returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a replay attack
exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning
of doFilter.
> Alternatively one can set an attribute on the request, or figure out why doFilter is
called twice.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message