You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2017/04/19 18:51:42 UTC
[jira] [Created] (HADOOP-14327)
KerberosAuthenticationHandler#authenticate throws meaningless exception
with empty server principals
Wei-Chiu Chuang created HADOOP-14327:
----------------------------------------
Summary: KerberosAuthenticationHandler#authenticate throws meaningless exception with empty server principals
Key: HADOOP-14327
URL: https://issues.apache.org/jira/browse/HADOOP-14327
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.0.0-alpha2
Reporter: Wei-Chiu Chuang
Priority: Minor
If somehow KerberosAuthenticationHandler#authenticate gets an empty service principal set, it throws a useless exception like the following:
{noformat}
2017-04-19 10:11:39,812 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: org.apache.hadoop.security.authentication.client.AuthenticationExceptio
n
org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.client.AuthenticationException
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:452)
at org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler.authenticate(MultiSchemeAuthenticationHandler.java:193)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:400)
at org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler.authenticate(MultiSchemeDelegationTokenAuthenticationHandler.java:180)
at org.apache.solr.security.RequestContinuesRecorderAuthenticationHandler.authenticate(RequestContinuesRecorderAuthenticationHandler.java:69)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:532)
{noformat}
The following code has a logic error. If serverPrincipals is empty, token remains null in the end, but lastException is also null too, so throwing it is meaningless. It should throw with a more meaningful message.
{code:title=KerberosAuthenticationHandler#authenticate}
AuthenticationToken token = null;
Exception lastException = null;
for (String serverPrincipal : serverPrincipals) {
try {
token = runWithPrincipal(serverPrincipal, clientToken,
base64, response);
} catch (Exception ex) {
lastException = ex;
LOG.trace("Auth {} failed with {}", serverPrincipal, ex);
} finally {
if (token != null) {
LOG.trace("Auth {} successfully", serverPrincipal);
break;
}
}
}
if (token != null) {
return token;
} else {
throw new AuthenticationException(lastException);
}
{code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org