Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: hdfs-issues@hadoop.apache.org
Date: Thu, 27 Mar 2014 21:44:19 +0000 (UTC)
From: "Jing Zhao (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <JIRA.12635802.1362667644890.19917.1395956659943@arcas>
In-Reply-To: <JIRA.12635802.1362667644890@arcas>
References: <JIRA.12635802.1362667644890@arcas>
Subject: [jira] [Comment Edited] (HDFS-4564) Webhdfs returns incorrect http
 response codes for denied operations
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13949977#comment-13949977 ] 

Jing Zhao edited comment on HDFS-4564 at 3/27/14 9:43 PM:
----------------------------------------------------------

# Why do we want to do this extra check for 401?
{code}
+    // server is demanding an authentication we don't support
+    if (code == HttpURLConnection.HTTP_UNAUTHORIZED) {
+      throw new IOException(
+          new AuthenticationException(conn.getResponseMessage()));
+    }
{code}
# I think the following check should be included in the shouldRetry method.
{code}
+          Throwable cause = ioe.getCause();
+          if (cause != null && cause instanceof AuthenticationException) {
+            throw ioe; // no retries for auth failures
+          }
{code}
# I guess the checkTGTAndReloginFromKeytab has been covered by the current code? In the current implementation, before every operation webhdfsfs first calls ensureTokenInitialized which fetches token if necessary. And in this process before we open the connection, checkTGTAndReloginFromKeytab is called if necessary. See URLConnectionFactory#openConnection(URL, boolean). If we want to change this mechanism, I think we should open a separate jira to do it.
{code}
+      if (op.getRequireAuth()) {
+        connectUgi.checkTGTAndReloginFromKeytab();
+      }
{code}


was (Author: jingzhao):
# Why do we want to do this extra check for 401?
{code}
+    // server is demanding an authentication we don't support
+    if (code == HttpURLConnection.HTTP_UNAUTHORIZED) {
+      throw new IOException(
+          new AuthenticationException(conn.getResponseMessage()));
+    }
{code}
# I think the following check should be included in the shouldRetry method.
{code}
+          Throwable cause = ioe.getCause();
+          if (cause != null && cause instanceof AuthenticationException) {
+            throw ioe; // no retries for auth failures
+          }
{code}
# I guess the checkTGTAndReloginFromKeytab has been covered by the current code? In the current implementation, before everywebhdfsfs first calls ensureTokenInitialized which fetches token if necessary. And in this process before we open the connection, checkTGTAndReloginFromKeytab is called if necessary. See URLConnectionFactory#openConnection(URL, boolean). If we want to change this mechanism, I think we should open a separate jira to do it.
{code}
+      if (op.getRequireAuth()) {
+        connectUgi.checkTGTAndReloginFromKeytab();
+      }
{code}

> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
>                 Key: HDFS-4564
>                 URL: https://issues.apache.org/jira/browse/HDFS-4564
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch, HDFS-4564.patch, HDFS-4564.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's denying operations.  Examples including rejecting invalid proxy user attempts and renew/cancel with an invalid user.


--
This message was sent by Atlassian JIRA
(v6.2#6252)