You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Daryn Sharp (JIRA)" <ji...@apache.org> on 2014/01/16 20:15:21 UTC
[jira] [Commented] (HADOOP-9363) AuthenticatedURL will NPE if
server closes connection
[ https://issues.apache.org/jira/browse/HADOOP-9363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13873798#comment-13873798 ]
Daryn Sharp commented on HADOOP-9363:
-------------------------------------
I've determined the problem for this old issue and am working on a patch. If the the spnego auth fails, it returns a 401 with no WWW-Authenticate header. This violates the RFC which mandates a 401 always contains a WWW-Authenticate header.
If any kerberos error occurs, the 401 sans WWW-Authenticate header triggers a NPE in the client due to a JDK bug that assumes a RFC-compliant response. Examples of errors include but are not limited to:
# server's kerberos principal/keytab and the http server started anyway
# server's TGT expires
# server principal's kvno is stale
# client has no TGT
# client sends an invalid service ticket - expired, wrong enc_type, wrong kvno, etc)
# kdc is not available - down or transient network failure
# clock skew causes a kerberos failure
# replay attack is triggered (another JDK bug triggered by AuthenticatedURL)
The NPE is particularly bad for daemon services. For example, the RM will crash if an NPE occurs while renewing/canceling a token.
> AuthenticatedURL will NPE if server closes connection
> -----------------------------------------------------
>
> Key: HADOOP-9363
> URL: https://issues.apache.org/jira/browse/HADOOP-9363
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
>
> A NPE occurs if the server unexpectedly closes the connection for an {{AuthenticatedURL}} w/o sending a response.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)