hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-4564) Webhdfs returns incorrect http response codes for denied operations
Date Mon, 27 Jan 2014 17:21:39 GMT

     [ https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daryn Sharp updated HDFS-4564:
------------------------------

    Attachment: HDFS-4564.branch-23.patch

Pretty straightforward patch to return 403 in the filter instead an illegal 401 when an auth
failure occurs.

The webhdfs client won't unnecessarily use the flawed AuthenticatedUrl for delegation token
operations.  It's unnecessary because java already handles spnego.  If spnego fails, AuthenticatedURL
falls back to a pseudo authenticator assuming spnego isn't needed - but also fails when java
retries spnego and triggers a replay attack followed by a NPE in the client.

Also had to hoist webhdfs doAs higher to ensure the correct ugi is used for the connection.

Will attach trunk/branch-2 patch shortly.

> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
>                 Key: HDFS-4564
>                 URL: https://issues.apache.org/jira/browse/HDFS-4564
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4564.branch-23.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's denying
operations.  Examples including rejecting invalid proxy user attempts and renew/cancel with
an invalid user.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message