hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10301) AuthenticationFilter should return Forbidden for failed authentication
Date Fri, 31 Jan 2014 21:06:14 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13888166#comment-13888166
] 

Daryn Sharp commented on HADOOP-10301:
--------------------------------------

The 0.23 patch causes problems for oozie's use of auth cookies.  Oozie caches the cookies
on the local fs until they are invalid and expects fallback to spnego to occur.

Currently, an uncaught AuthenticationException in a servlet sends the client an illegal 401
with no WWW-Authenticate header.  The existing behavior:
# 2.x catches and ignores AuthenticationException while validating auth cookies - expired,
wrong secret, wrong type, etc.  A valid 401 + negotiate header is sent to trigger spnego.
 No problem here.
# 0.23 does *not* catch AuthenticationException while validating auth cookies.  Servlet returns
an illegal 401 with no auth header causing a client NPE.
# Neither 2.x nor 0.23 catch AuthenticationExceptions if spnego fails or proxy authorization
fails.  Servlet returns an illegal 401.  Client NPE.

These patches fix all these issues by converting uncaught AuthenticationExceptions from 401
to 403 Forbidden which is entirely appropriate for #3.  However, for 0.23 (#2), the client
does not revert to spnego for invalid auth cookies.  I'm studying AuthenticatedURL to see
how the invalid 401 ever could have worked for oozie.  There's a tangle of issues with how
webhdfs vs. oozie expects this to work that I'm investigating.


> AuthenticationFilter should return Forbidden for failed authentication
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-10301
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10301
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-10301.branch-23.patch, HADOOP-10301.patch
>
>
> The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a WWW-Authenticate
headers.  The is illegal per the HTTP RPC and causes a NPE in the HttpUrlConnection.
> This is half of a fix that affects webhdfs.  See HDFS-4564.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message