You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/05/02 06:34:14 UTC

[jira] [Commented] (HADOOP-8830) org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors

    [ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14524718#comment-14524718 ] 

Hadoop QA commented on HADOOP-8830:
-----------------------------------

\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:red}-1{color} | patch |   0m  0s | The patch command could not apply the patch during dryrun. |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL | http://issues.apache.org/jira/secure/attachment/12605624/HADOOP-8830.20131027.1.patch |
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / f1a152c |
| Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/6314/console |


This message was automatically generated.

> org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8830
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8830
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.1-alpha, 2.1.0-beta, 2.1.1-beta, 2.2.0
>            Reporter: Moritz Moeller
>            Assignee: Omkar Vinit Joshi
>            Priority: Critical
>         Attachments: HADOOP-8830.20131026.1.patch, HADOOP-8830.20131027.1.patch
>
>
> AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
> The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser() returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a replay attack exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning of doFilter.
> Alternatively one can set an attribute on the request, or figure out why doFilter is called twice.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)