hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jing Zhao (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HDFS-4564) Webhdfs returns incorrect http response codes for denied operations
Date Thu, 27 Mar 2014 21:44:19 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13949977#comment-13949977
] 

Jing Zhao edited comment on HDFS-4564 at 3/27/14 9:43 PM:
----------------------------------------------------------

# Why do we want to do this extra check for 401?
{code}
+    // server is demanding an authentication we don't support
+    if (code == HttpURLConnection.HTTP_UNAUTHORIZED) {
+      throw new IOException(
+          new AuthenticationException(conn.getResponseMessage()));
+    }
{code}
# I think the following check should be included in the shouldRetry method.
{code}
+          Throwable cause = ioe.getCause();
+          if (cause != null && cause instanceof AuthenticationException) {
+            throw ioe; // no retries for auth failures
+          }
{code}
# I guess the checkTGTAndReloginFromKeytab has been covered by the current code? In the current
implementation, before every operation webhdfsfs first calls ensureTokenInitialized which
fetches token if necessary. And in this process before we open the connection, checkTGTAndReloginFromKeytab
is called if necessary. See URLConnectionFactory#openConnection(URL, boolean). If we want
to change this mechanism, I think we should open a separate jira to do it.
{code}
+      if (op.getRequireAuth()) {
+        connectUgi.checkTGTAndReloginFromKeytab();
+      }
{code}


was (Author: jingzhao):
# Why do we want to do this extra check for 401?
{code}
+    // server is demanding an authentication we don't support
+    if (code == HttpURLConnection.HTTP_UNAUTHORIZED) {
+      throw new IOException(
+          new AuthenticationException(conn.getResponseMessage()));
+    }
{code}
# I think the following check should be included in the shouldRetry method.
{code}
+          Throwable cause = ioe.getCause();
+          if (cause != null && cause instanceof AuthenticationException) {
+            throw ioe; // no retries for auth failures
+          }
{code}
# I guess the checkTGTAndReloginFromKeytab has been covered by the current code? In the current
implementation, before everywebhdfsfs first calls ensureTokenInitialized which fetches token
if necessary. And in this process before we open the connection, checkTGTAndReloginFromKeytab
is called if necessary. See URLConnectionFactory#openConnection(URL, boolean). If we want
to change this mechanism, I think we should open a separate jira to do it.
{code}
+      if (op.getRequireAuth()) {
+        connectUgi.checkTGTAndReloginFromKeytab();
+      }
{code}

> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
>                 Key: HDFS-4564
>                 URL: https://issues.apache.org/jira/browse/HDFS-4564
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch,
HDFS-4564.patch, HDFS-4564.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's denying
operations.  Examples including rejecting invalid proxy user attempts and renew/cancel with
an invalid user.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message