You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2016/03/09 22:42:40 UTC
[jira] [Commented] (HADOOP-10301) AuthenticationFilter should
return Forbidden for failed authentication
[ https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15188097#comment-15188097 ]
Robert Kanter commented on HADOOP-10301:
----------------------------------------
This breaks how the Oozie Client was checking for expired auth tokens (OOZIE-2485). I was looking into something related, and saw that when using Kerberos and an expired auth token, Oozie Client wasn't getting a new token.
I didn't notice this problem until I really dug into the code because the Oozie client commands would still succeed, it would always just log a warning in the Oozie Server from hadoop-auth about the token, and use Kerberos.
After a lot of debugging, I figured out the cause. Currently, Oozie does this in {{AuthOozieClient}} to determine if a token has expired:
{code:java}
if (currentToken.isSet()) {
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("OPTIONS");
AuthenticatedURL.injectToken(conn, currentToken);
if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
AUTH_TOKEN_CACHE_FILE.delete();
currentToken = new AuthenticatedURL.Token();
}
}
{code}
Previously, the response code would be 401 when the token expired. Oozie Client would clear out {{currentToken}} and some later code would get a new one after using the {{KerberosAuthenticator}}. However, it's now 200 here and returns a new token (in the header) after successfully doing SPNEGO without (Oozie explicitly) calling the {{KerberosAuthenticator}} at all. To fix this, Oozie has to modify the above to do this:
{code:java}
if (currentToken.isSet()) {
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("OPTIONS");
AuthenticatedURL.injectToken(conn, currentToken);
if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
AUTH_TOKEN_CACHE_FILE.delete();
currentToken = new AuthenticatedURL.Token();
} else {
try {
AuthenticatedURL.extractToken(conn, currentToken);
} catch (AuthenticationException ex) {
AUTH_TOKEN_CACHE_FILE.delete();
currentToken = new AuthenticatedURL.Token();
}
}
{code}
Here it will try to extract the new token if one was given using {{AuthenticatedURL.extractToken}}, which will update {{currentToken}}.
> AuthenticationFilter should return Forbidden for failed authentication
> ----------------------------------------------------------------------
>
> Key: HADOOP-10301
> URL: https://issues.apache.org/jira/browse/HADOOP-10301
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 2.4.0
>
> Attachments: HADOOP-10301.branch-23.patch, HADOOP-10301.branch-23.patch, HADOOP-10301.patch, HADOOP-10301.patch, HADOOP-10301.patch
>
>
> The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a WWW-Authenticate headers. The is illegal per the HTTP RPC and causes a NPE in the HttpUrlConnection.
> This is half of a fix that affects webhdfs. See HDFS-4564.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)