You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@calcite.apache.org by "Josh Elser (Jira)" <ji...@apache.org> on 2020/12/24 02:50:00 UTC
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for
each request
[ https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17254375#comment-17254375 ]
Josh Elser commented on CALCITE-4152:
-------------------------------------
Looking at this for fun, the general wag at what Hadoop is doing is this...
* After a successful SPNEGO auth'n, they send a SetCookie header back to the client
* The cookie looks something like {{Set-Cookie: hadoop.auth="u=guest&p=guest/c6401.ambari.apache.org@EXAMPLE.COM&t=kerberos&e=1487947765114&s=fNpq9FYy2DA19Rah7586rgsAieI="; Path=gateway/default; Domain=ambari.apache.org; Secure; HttpOnly}}
* The token data is "username", (kerberos) "principal", authentication type, expiration time
* This token data is signed with HmacSHA256 and that's included as "{{fNpq9FYy2DA19Rah7586rgsAieI="}}
* The signature is used when the token is passed back to the server to validate that the token itself wasn't changed (e.g. user doesn't modify it and say they're someone else)
* If the user doesn't provide the token (via the cookie), spnego authn happens normally. When spnego authn succeeds, it sets a new cookie
* If the user provides the token (via the cookie) and the token is valid (the signature matches), then user is marked as "authenticated" (as the user who is specified in that auth token).
I think I can break this up into a couple of steps:
# Show that we can bypass spnego successfully with a cookie that just has basic info. Will have to add indirection in AbstractAvaticaHandler to not pull the user directly from the HttpServletRequest. Update the client, maybe (the http client we use may automatically pass it along)?
# Make the plan cookie data into a protobuf or other serializable data structure
# Add signing of the cookie data
# Add expiration of the auth cookie
> Avoid SPNEGO re-negotiation for each request
> --------------------------------------------
>
> Key: CALCITE-4152
> URL: https://issues.apache.org/jira/browse/CALCITE-4152
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Istvan Toth
> Priority: Major
>
> When using SPNEGO authentication with Avatica, every HTTP request re-initiates the negotiation, doubling the number HTTP requests.
> Consider switching to cookies after the initial SPNEGO authentication succeeds.
> Jetty ticket that discusses the issue: [https://github.com/eclipse/jetty.project/issues/2868]
> Description of the Knox implementation
> [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)