hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10301) AuthenticationFilter should return Forbidden for failed authentication
Date Wed, 09 Mar 2016 21:42:40 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15188097#comment-15188097
] 

Robert Kanter commented on HADOOP-10301:
----------------------------------------

This breaks how the Oozie Client was checking for expired auth tokens (OOZIE-2485).  I was
looking into something related, and saw that when using Kerberos and an expired auth token,
Oozie Client wasn't getting a new token.  

I didn't notice this problem until I really dug into the code because the Oozie client commands
would still succeed, it would always just log a warning in the Oozie Server from hadoop-auth
about the token, and use Kerberos.

After a lot of debugging, I figured out the cause.  Currently, Oozie does this in {{AuthOozieClient}}
to determine if a token has expired:
{code:java}
        if (currentToken.isSet()) {
            HttpURLConnection conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("OPTIONS");
            AuthenticatedURL.injectToken(conn, currentToken);
            if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
                AUTH_TOKEN_CACHE_FILE.delete();
                currentToken = new AuthenticatedURL.Token();
            }
        }
{code}
Previously, the response code would be 401 when the token expired.  Oozie Client would clear
out {{currentToken}} and some later code would get a new one after using the {{KerberosAuthenticator}}.
 However, it's now 200 here and returns a new token (in the header) after successfully doing
SPNEGO without (Oozie explicitly) calling the {{KerberosAuthenticator}} at all.  To fix this,
Oozie has to modify the above to do this:
{code:java}
        if (currentToken.isSet()) {
            HttpURLConnection conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("OPTIONS");
            AuthenticatedURL.injectToken(conn, currentToken);
            if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
                AUTH_TOKEN_CACHE_FILE.delete();
                currentToken = new AuthenticatedURL.Token();
            } else {
                try {
                    AuthenticatedURL.extractToken(conn, currentToken);
                } catch (AuthenticationException ex) {
                    AUTH_TOKEN_CACHE_FILE.delete();
                    currentToken = new AuthenticatedURL.Token();
                }
        }
{code}
Here it will try to extract the new token if one was given using {{AuthenticatedURL.extractToken}},
which will update {{currentToken}}.

> AuthenticationFilter should return Forbidden for failed authentication
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-10301
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10301
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>             Fix For: 2.4.0
>
>         Attachments: HADOOP-10301.branch-23.patch, HADOOP-10301.branch-23.patch, HADOOP-10301.patch,
HADOOP-10301.patch, HADOOP-10301.patch
>
>
> The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a WWW-Authenticate
headers.  The is illegal per the HTTP RPC and causes a NPE in the HttpUrlConnection.
> This is half of a fix that affects webhdfs.  See HDFS-4564.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message