You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Chris Nauroth (JIRA)" <ji...@apache.org> on 2014/10/29 06:53:34 UTC

[jira] [Updated] (HADOOP-10911) hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109

     [ https://issues.apache.org/jira/browse/HADOOP-10911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Nauroth updated HADOOP-10911:
-----------------------------------
    Attachment: oozie-webconsole.stream

We've discovered that this patch has broken the Oozie web console in secure clusters.  The attached trace shows that the cookie is getting truncated after the first occurrence of '='.  Reintroducing the quotes fixes the issue.

I'd like to revert this patch for 2.6.0.  We can reopen this issue if there is still a need to make a subsequent attempt at another patch for something related to HttpClient.  What do others think?

Thanks to [~venkatnrangan] for reporting the bug and providing the root cause analysis that identified this patch.

> hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-10911
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10911
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Gregory Chanan
>             Fix For: 2.6.0
>
>         Attachments: HADOOP-10911-tests.patch, HADOOP-10911.patch, HADOOP-10911v2.patch, HADOOP-10911v3.patch, oozie-webconsole.stream
>
>
> I'm seeing the same problem reported in HADOOP-10710 (that is, httpclient is unable to authenticate with servers running the authentication filter), even with HADOOP-10710 applied.
> From my reading of the spec, the problem is as follows:
> Expires is not a valid directive according to the RFC, though it is mentioned for backwards compatibility with netscape draft spec.  When httpclient sees "Expires", it parses according to the netscape draft spec, but note from RFC2109:
> {code}
> Note that the Expires date format contains embedded spaces, and that "old" cookies did not have quotes around values. 
> {code}
> and note that AuthenticationFilter puts quotes around the value:
> https://github.com/apache/hadoop-common/blob/6b11bff94ebf7d99b3a9e513edd813cb82538400/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java#L437-L439
> So httpclient's parsing appears to be kosher.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)