You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Omkar Vinit Joshi (JIRA)" <ji...@apache.org> on 2013/10/03 22:40:43 UTC

[jira] [Commented] (HADOOP-8830) org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors

    [ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13785511#comment-13785511 ] 

Omkar Vinit Joshi commented on HADOOP-8830:
-------------------------------------------

[~tucu00] can you take a look at the other patch [patch-2|https://issues.apache.org/jira/secure/attachment/12605624/HADOOP-8830.20131027.1.patch]. It is as per [~vinodkv] suggestion. I think both approaches are trying to solve the same problem. However why I preferred updating cookies was that for AuthenticationFilter it is very clear to check cookie first (assuming it is getting called for the first time only) if not found then try to create one. Today even if AuthenticationFilter finds auth cookie then it DOESN'T remove it from request but it is just passed on. So clearly there is a behavior difference between cookie (isPressent and isAbsent). Also please take a look at YARN-621. Issues like that are quite annoying. 

> org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8830
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8830
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.1-alpha, 2.1.0-beta, 2.1.1-beta, 2.1.2-beta
>            Reporter: Moritz Moeller
>            Assignee: Omkar Vinit Joshi
>            Priority: Critical
>         Attachments: HADOOP-8830.20131026.1.patch, HADOOP-8830.20131027.1.patch
>
>
> AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
> The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser() returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a replay attack exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning of doFilter.
> Alternatively one can set an attribute on the request, or figure out why doFilter is called twice.



--
This message was sent by Atlassian JIRA
(v6.1#6144)