hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14327) KerberosAuthenticationHandler#authenticate throws meaningless exception when server principals set is empty
Date Wed, 19 Apr 2017 19:44:41 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Wei-Chiu Chuang updated HADOOP-14327:
-------------------------------------
    Summary: KerberosAuthenticationHandler#authenticate throws meaningless exception when
server principals set is empty  (was: KerberosAuthenticationHandler#authenticate throws meaningless
exception server principals set is empty)

> KerberosAuthenticationHandler#authenticate throws meaningless exception when server principals
set is empty
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14327
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14327
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0-alpha2
>            Reporter: Wei-Chiu Chuang
>            Priority: Minor
>
> If somehow KerberosAuthenticationHandler#authenticate gets an empty service principal
set, it throws a useless exception like the following:
> {noformat}
> 2017-04-19 10:11:39,812 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter:
Authentication exception: org.apache.hadoop.security.authentication.client.AuthenticationExceptio
> n
> org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.client.AuthenticationException
>         at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:452)
>         at org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler.authenticate(MultiSchemeAuthenticationHandler.java:193)
>         at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:400)
>         at org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler.authenticate(MultiSchemeDelegationTokenAuthenticationHandler.java:180)
>         at org.apache.solr.security.RequestContinuesRecorderAuthenticationHandler.authenticate(RequestContinuesRecorderAuthenticationHandler.java:69)
>         at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:532)
> {noformat}
> The following code has a logic error. If serverPrincipals is empty, token remains null
in the end, but lastException is also null too, so throwing it is meaningless. It should throw
with a more meaningful message.
> {code:title=KerberosAuthenticationHandler#authenticate}
>                 AuthenticationToken token = null;
>                 Exception lastException = null;
>                 for (String serverPrincipal : serverPrincipals) {
>                   try {
>                     token = runWithPrincipal(serverPrincipal, clientToken,
>                         base64, response);
>                   } catch (Exception ex) {
>                     lastException = ex;
>                     LOG.trace("Auth {} failed with {}", serverPrincipal, ex);
>                   } finally {
>                       if (token != null) {
>                         LOG.trace("Auth {} successfully", serverPrincipal);
>                         break;
>                     }
>                   }
>                 }
>                 if (token != null) {
>                   return token;
>                 } else {
>                   throw new AuthenticationException(lastException);
>                 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message