hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10301) AuthenticationFilter should return Forbidden for failed authentication
Date Thu, 06 Feb 2014 18:56:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893657#comment-13893657
] 

Daryn Sharp commented on HADOOP-10301:
--------------------------------------

Sigh.  Nothing is ever as easy as it seems.

I first was going to specifically check if response.status=401 and !response.containsHeader(WWW-Authenticate).
 HttpResponse appears to let you set the status, but not query it...  So I fell back to checking
errCode=401 and !response.containsHeader(WWW-Authenticate).  Now all the mocked unit tests
fail because they don't persist any state from the response.setHeader, so containsHeader always
returns false. :|

So, I can:
# Try to change the unit tests and hope other projects' tests don't break.
# Call it a day and unblock 2.3 because I can't find an existing code path that will cause
an illegal 401.

If you agree with #2, we really should file another jira to cleanup the filter + handler interactions.
 Among other things, the auth cookie should exclusively be a feature of the auth filter. 
Auth handlers shouldn't know anything about cookies.  That should make the logic much simpler
and easier to enforce proper auth handler behavior, but it's too much for me to do right now.

> AuthenticationFilter should return Forbidden for failed authentication
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-10301
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10301
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-10301.branch-23.patch, HADOOP-10301.branch-23.patch, HADOOP-10301.patch,
HADOOP-10301.patch
>
>
> The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a WWW-Authenticate
headers.  The is illegal per the HTTP RPC and causes a NPE in the HttpUrlConnection.
> This is half of a fix that affects webhdfs.  See HDFS-4564.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message