hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Omkar Vinit Joshi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8830) org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
Date Thu, 03 Oct 2013 20:40:43 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13785511#comment-13785511
] 

Omkar Vinit Joshi commented on HADOOP-8830:
-------------------------------------------

[~tucu00] can you take a look at the other patch [patch-2|https://issues.apache.org/jira/secure/attachment/12605624/HADOOP-8830.20131027.1.patch].
It is as per [~vinodkv] suggestion. I think both approaches are trying to solve the same problem.
However why I preferred updating cookies was that for AuthenticationFilter it is very clear
to check cookie first (assuming it is getting called for the first time only) if not found
then try to create one. Today even if AuthenticationFilter finds auth cookie then it DOESN'T
remove it from request but it is just passed on. So clearly there is a behavior difference
between cookie (isPressent and isAbsent). Also please take a look at YARN-621. Issues like
that are quite annoying. 

> org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called
twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8830
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8830
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.1-alpha, 2.1.0-beta, 2.1.1-beta, 2.1.2-beta
>            Reporter: Moritz Moeller
>            Assignee: Omkar Vinit Joshi
>            Priority: Critical
>         Attachments: HADOOP-8830.20131026.1.patch, HADOOP-8830.20131027.1.patch
>
>
> AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
> The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser()
returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a replay attack
exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning
of doFilter.
> Alternatively one can set an attribute on the request, or figure out why doFilter is
called twice.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message