hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14687) AuthenticatedURL will reuse bad/expired session cookies
Date Mon, 21 Aug 2017 16:27:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16135391#comment-16135391
] 

Jason Lowe commented on HADOOP-14687:
-------------------------------------

Thanks for the patch!

Wondering if it is worth protecting the code from a case where someone tries to set the same
cookie redundantly.  Looks like the code will reduce the max age of the cookie each time.
 Seems like a simple "is this the same cookie we already have" check before we lower the max
age could make it do something sane in that unexpected case.

Otherwise patch looks good to me.

> AuthenticatedURL will reuse bad/expired session cookies
> -------------------------------------------------------
>
>                 Key: HADOOP-14687
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14687
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 2.6.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Critical
>         Attachments: HADOOP-14687.2.trunk.patch, HADOOP-14687.trunk.patch
>
>
> AuthenticatedURL with kerberos was designed to perform spnego, then use a session cookie
to avoid renegotiation overhead.  Unfortunately the client will continue to use a cookie after
it expires.  Every request elicits a 401, connection closes (despite keepalive because 401
is an "error"), TGS is obtained, connection re-opened, re-requests with TGS, repeat cycle.
 This places a strain on the kdc and creates lots of time_wait sockets.
>  
> The main problem is unbeknownst to the auth url, the JDK transparently does spnego. 
The server issues a new cookie but the auth url doesn't scrape the cookie from the response
because it doesn't know the JDK re-authenticated.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message