hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4564) Webhdfs returns incorrect http response codes for denied operations
Date Mon, 27 Jan 2014 18:21:40 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883046#comment-13883046

Daryn Sharp commented on HDFS-4564:

I was going to file separate patches, but splitting the patch will cause unit test failures
until all pieces are integrated.  I can split it if you want.

I don't believe I saw a pro-active sending of the service ticket in the tcpdumps.  I'll go
back and double check, but it's valid behavior per RFC4559:
4.2.  The Authorization Request Header
    A client may initiate a connection to the server with an
   "Authorization" header containing the initial token for the server.
   This form will bypass the initial 401 error from the server when the
   client knows that the server will accept the Negotiate HTTP
   authentication type.

I'm not sure what value AuthenticatedURL is adding though.  It's supposed to retry spnego
if/after java fails spnego (401 + WWW-Authenticate: Negotiate).  That condition never occurs.
 Otherwise it falls back to the pseudo auth for non-200 response, incorrectly assuming security
is disabled, where java tries spnego again and fails.

> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>                 Key: HDFS-4564
>                 URL: https://issues.apache.org/jira/browse/HDFS-4564
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4564.branch-23.patch
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's denying
operations.  Examples including rejecting invalid proxy user attempts and renew/cancel with
an invalid user.

This message was sent by Atlassian JIRA

View raw message