Return-Path: 
 <hdfs-issues-return-124598-apmail-hadoop-hdfs-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0236C18485
	for <apmail-hadoop-hdfs-issues-archive@minotaur.apache.org>;
 Tue,  2 Jun 2015 00:55:19 +0000 (UTC)
Received: (qmail 50114 invoked by uid 500); 2 Jun 2015 00:55:18 -0000
Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org
Received: (qmail 50048 invoked by uid 500); 2 Jun 2015 00:55:18 -0000
Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:hdfs-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:hdfs-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:hdfs-issues@hadoop.apache.org>
List-Id: <hdfs-issues.hadoop.apache.org>
Reply-To: hdfs-issues@hadoop.apache.org
Delivered-To: mailing list hdfs-issues@hadoop.apache.org
Received: (qmail 50036 invoked by uid 99); 2 Jun 2015 00:55:18 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jun 2015 00:55:18 +0000
Date: Tue, 2 Jun 2015 00:55:18 +0000 (UTC)
From: "Yongjun Zhang (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <JIRA.12635802.1362667644000.88665.1433206518706@Atlassian.JIRA>
In-Reply-To: <JIRA.12635802.1362667644000@Atlassian.JIRA>
References: <JIRA.12635802.1362667644000@Atlassian.JIRA>
 <JIRA.12635802.1362667644890@arcas>
Subject: [jira] [Commented] (HDFS-4564) Webhdfs returns incorrect http
 response codes for denied operations
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568320#comment-14568320 ] 

Yongjun Zhang commented on HDFS-4564:
-------------------------------------

HI [~daryn],

Thanks for your earlier work on this jira. I need some help related to this jira, thanks in advance for your time!

I'm looking into an issue that the following AuthenticationException is thrown when accessing httpfs via webhdfs in a secure cluster, 
{code}
systest@yj52s ~]$ java -cp $(hadoop classpath):. Foo
15/05/30 00:05:03 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
Exception in thread "main" java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: Unauthorized
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:309)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$700(WebHdfsFileSystem.java:108)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.getResponse(WebHdfsFileSystem.java:625)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:528)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$200(WebHdfsFileSystem.java:443)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:473)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:470)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:469)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:436)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:999)
	at org.apache.hadoop.hdfs.web.TokenAspect.ensureTokenInitialized(TokenAspect.java:140)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:235)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getAuthParameters(WebHdfsFileSystem.java:393)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.toUrl(WebHdfsFileSystem.java:414)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$FsPathRunner.getUrl(WebHdfsFileSystem.java:649)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.init(WebHdfsFileSystem.java:483)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:524)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$200(WebHdfsFileSystem.java:443)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:473)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:470)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:469)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:436)
	at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.listStatus(WebHdfsFileSystem.java:982)
	at Foo.main(Foo.java:7)
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Unauthorized
	... 30 more
[systest@yj52s ~]$ 
{code}

The source code Foo.java
{code}
  1 import org.apache.hadoop.conf.*;
  2 import org.apache.hadoop.fs.*;
  3 import org.apache.hadoop.security.*;
  4 class Foo {
  5   public static void main(String args[]) throws Exception {
  6     FileSystem fs = FileSystem.get(new java.net.URI("webhdfs://yj54s.vpc.cloudera.com:14000/"), new Configuration()); //accessing httpfs via webhdfs
  7     System.out.println(fs.listStatus(new Path("/tmp"))[0]);
  8     java.io.OutputStream os = fs.create(new Path("/tmp/foo"));
  9     os.write('a');
 10     os.close();
 11   }
 12 }
{code}

When I ran without HDFS-4564, it appears to run ok. So the behavior of the above program is changed by HDFS-4564. I guess it worked because "incorrect http response returned" (which is fixed by HDFS-4564). 

I traced the execution a bit and I see no "fallback to pseudo auth" happens in this working run.

Would you please shed some light about your understanding here?

Thanks a lot!




> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
>                 Key: HDFS-4564
>                 URL: https://issues.apache.org/jira/browse/HDFS-4564
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>             Fix For: 2.4.0
>
>         Attachments: HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch, HDFS-4564.branch-23.patch, HDFS-4564.patch, HDFS-4564.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's denying operations.  Examples including rejecting invalid proxy user attempts and renew/cancel with an invalid user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)