You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by tm...@apache.org on 2019/10/04 21:32:33 UTC

[impala] 03/03: IMPALA-9001: Fix SPNEGO for requests with no 'Authorization'

This is an automated email from the ASF dual-hosted git repository.

tmarshall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit 9cd1d72194391d18d4949ee8c2b86f32efa8a8ab
Author: Thomas Tauber-Marshall <tm...@cloudera.com>
AuthorDate: Wed Oct 2 16:15:02 2019 -0700

    IMPALA-9001: Fix SPNEGO for requests with no 'Authorization'
    
    When SPNEGO was first implemented for both hs2 and the webui, the way
    we handled requests that did not include an "Authorization" header was
    to pass an empty string to gss-api and then return a
    "WWW-Authenticate: Negotiate <token>" where <token> was whatever was
    returned by gss-api.
    
    This works with some clients, but appears to fail with others. This
    patch modifies the behavior to not send the <token> with the initial
    WWW-Authenticate, which works with all tested clients.
    
    Testing:
    - Tested with curl, Knox, and Java's HttpURLConnection API.
    
    Change-Id: Id9b6ac99b799324ec22e95fd1eb022d5ad6f54bd
    Reviewed-on: http://gerrit.cloudera.org:8080/14352
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 be/src/rpc/authentication.cc | 5 +++++
 be/src/util/webserver.cc     | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/be/src/rpc/authentication.cc b/be/src/rpc/authentication.cc
index eace146..3ba6a31 100644
--- a/be/src/rpc/authentication.cc
+++ b/be/src/rpc/authentication.cc
@@ -545,6 +545,11 @@ bool BasicAuth(ThriftServer::ConnectionContext* connection_context,
 // encountered and the connection should be closed.
 bool NegotiateAuth(ThriftServer::ConnectionContext* connection_context,
     const AuthenticationHash& hash, const std::string& header_token, bool* is_complete) {
+  if (header_token.empty()) {
+    connection_context->return_headers.push_back("WWW-Authenticate: Negotiate");
+    *is_complete = false;
+    return false;
+  }
   std::string token;
   // Note: according to RFC 2616, the correct format for the header is:
   // 'Authorization: Negotiate <token>'. However, beeline incorrectly adds an additional
diff --git a/be/src/util/webserver.cc b/be/src/util/webserver.cc
index d43fb6d..555760f 100644
--- a/be/src/util/webserver.cc
+++ b/be/src/util/webserver.cc
@@ -209,6 +209,11 @@ kudu::Status RunSpnegoStep(const char* authz_header, string* resp_header,
     return kudu::Status::InvalidArgument("bad Negotiate header");
   }
 
+  if (!authz_header) {
+    *resp_header = "WWW-Authenticate: Negotiate";
+    return kudu::Status::Incomplete("authn incomplete");
+  }
+
   string resp_token_b64;
   bool is_complete;
   RETURN_NOT_OK(kudu::gssapi::SpnegoStep(