You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Kevin Minder (JIRA)" <ji...@apache.org> on 2015/09/14 15:57:45 UTC
[jira] [Updated] (KNOX-598) Concurrent JDBC clients via KNOX to
Kerberized HiveServer2 causes HTTP 401 error (due to Kerberos Replay attack
error)
[ https://issues.apache.org/jira/browse/KNOX-598?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Minder updated KNOX-598:
------------------------------
Description: In high concurrency scenarios the same Knox service principal can ended up requesting two service tickets for HiveServer2's HTTP service principal within the same microsecond. This is being detected on the HiveServer2 side as a replay attack. The fix is to include some concurrency controls in Knox to ensure that this cannot occur. This will introduce some minor serialization but this seems unavoidable.
> Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes HTTP 401 error (due to Kerberos Replay attack error)
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: KNOX-598
> URL: https://issues.apache.org/jira/browse/KNOX-598
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.4.0
> Reporter: Kevin Minder
> Priority: Blocker
> Fix For: 0.7.0
>
>
> In high concurrency scenarios the same Knox service principal can ended up requesting two service tickets for HiveServer2's HTTP service principal within the same microsecond. This is being detected on the HiveServer2 side as a replay attack. The fix is to include some concurrency controls in Knox to ensure that this cannot occur. This will introduce some minor serialization but this seems unavoidable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)