You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Kevin Minder (JIRA)" <ji...@apache.org> on 2018/02/06 13:27:00 UTC

[jira] [Created] (KNOX-1171) Handle invalid hadoop.auth cookie returned by Oozie

Kevin Minder created KNOX-1171:
----------------------------------

             Summary: Handle invalid hadoop.auth cookie returned by Oozie
                 Key: KNOX-1171
                 URL: https://issues.apache.org/jira/browse/KNOX-1171
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
    Affects Versions: 0.14.0
            Reporter: Kevin Minder
            Assignee: Kevin Minder
             Fix For: 1.1.0


There are issues with Oozie/HadoopAuth that prevent the proxying of the Oozie UI in secure clusters.  

The HadoopAuth issue below is preventing HttpClient from handling hadoop.auth token resulting in every interaction with Oozie requiring a SPNego authentication in a secure cluster. https://issues.apache.org/jira/browse/HADOOP-10710

The Oozie issue below prevents certain Oozie resources from be accessible when SPNego authentication occurs.  This is caused by these resources being authenticated twice which results in a Kerberos replay attack detection/failure. https://issues.apache.org/jira/browse/OOZIE-2427

The combination of these two issues prevents the Oozie UI from being proxied in a secure cluster.

The proposed solution is to enhance HadoopAuthCookieStore to handle cases where the cooke value isn't RFC2109 compliant by wrapping the value in double quotes if they are missing.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)