Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0DF4D119F9 for ; Wed, 30 Jul 2014 14:05:40 +0000 (UTC) Received: (qmail 21308 invoked by uid 500); 30 Jul 2014 14:05:39 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 21252 invoked by uid 500); 30 Jul 2014 14:05:39 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 21237 invoked by uid 99); 30 Jul 2014 14:05:39 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 14:05:39 +0000 Date: Wed, 30 Jul 2014 14:05:39 +0000 (UTC) From: "Venkat Ranganathan (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-10710) hadoop.auth cookie is not properly constructed according to RFC2109 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079302#comment-14079302 ] Venkat Ranganathan commented on HADOOP-10710: --------------------------------------------- [~tucu00] Yes. With the fixes in HADOOP-10710, Oozie console in a secure cluster is functional. > hadoop.auth cookie is not properly constructed according to RFC2109 > ------------------------------------------------------------------- > > Key: HADOOP-10710 > URL: https://issues.apache.org/jira/browse/HADOOP-10710 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.4.0 > Reporter: Alejandro Abdelnur > Assignee: Juan Yu > Fix For: 2.5.0 > > Attachments: HADOOP-10710.001.patch, HADOOP-10710.002.patch, HADOOP-10710.003.patch, HADOOP-10710.004.patch, HADOOP-10710.005.patch, HADOOP-10710.006.patch, HADOOP-10710.007.patch > > > It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are being constructed. > Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}} class and corresponding {{HttpServletResponse}} methods. This was taking care of setting attributes like 'Version=1' and double-quoting the cookie value if necessary. > HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and setting values and attributes by hand. This is not taking care of setting required attributes like Version and escaping the cookie value. > While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is breaking access done using {{HtttpClient}}. I.e. Solr uses HttpClient and its access is broken since this change. > It seems that HADOOP-10379 main objective was to set the 'secure' attribute. Note this can be done using the {{Cookie}} API. > We should revert the cookie creation logic to use the {{Cookie}} API and take care of the security flag via {{setSecure(boolean)}}. -- This message was sent by Atlassian JIRA (v6.2#6252)