You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2015/07/30 22:30:04 UTC
[jira] [Updated] (OOZIE-2322) Oozie Web UI doesn't work with
Kerberos in Internet Explorer 10 or 11 and curl
[ https://issues.apache.org/jira/browse/OOZIE-2322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Kanter updated OOZIE-2322:
---------------------------------
Attachment: OOZIE-2322.001.patch
After a ridiculous amount of investigation, it turns out that OOZIE-1890 accidentally changed {{oozie.authentication.cookie.domain}} from empty string to space in oozie-default.xml. While that seems like a minor change, it makes a big difference. In Hadoop Configurations, an empty string gets thrown away (i.e. conf.get("foo") == null), but whitespace becomes an empty string (i.e. conf.get("foo") == ""), which is somewhat confusing. Anyway, this made the default cookie domain empty string instead of (magically?) defaulting to the hostname. This is fine for Chrome, Firefox, IE 8/9, but it breaks IE 10/11 and curl, who are more strict so would throw away the cookie.
The patch simply sets the default value back to empty string.
curl's verbose logging was really helpful in finally finding that the cookie domain was the problem. Here's what we see in the headers without the patch:
{noformat}
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
* skipped cookie with illegal dotcount domain:
< Set-Cookie: hadoop.auth="<REDACTED>"; Path=/; Domain= ; Expires=Thu, 30-Jul-2015 17:28:19 GMT; HttpOnly
* Added cookie JSESSIONID="8CD6FC2FEE84506094B1DC2F607C7D6C" for domain host-10-17-81-194.coe.cloudera.com, path /oozie, expire 0
< Set-Cookie: JSESSIONID=8CD6FC2FEE84506094B1DC2F607C7D6C; Path=/oozie
< Content-Type: text/html
< Content-Length: 3754
< Date: Thu, 30 Jul 2015 07:28:19 GMT
<
{noformat}
Here's the code in the version of curl we were using, where the error message comes from:
https://github.com/bagder/curl/blob/curl-7_19_7/lib/cookie.c#L269-L302
It's looking for a certain number of dots in the domain. Obviously, in a blank domain, there are none.
Interestingly, newer version of curl appear to do something a bit different here, which a slightly different error message (perhaps they've made it more tolerant?)
https://github.com/bagder/curl/blob/master/lib/cookie.c#L468-L503
And here's with the patch:
{noformat}
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< WWW-Authenticate: Negotiate
* Added cookie hadoop.auth="" for domain host-10-17-81-194.coe.cloudera.com, path /, expire 1
< Set-Cookie: hadoop.auth=; Path=/; Domain=host-10-17-81-194.coe.cloudera.com; Expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly
< Content-Type: text/html;charset=utf-8
< Content-Length: 997
< Date: Thu, 30 Jul 2015 08:01:15 GMT
<
...
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
* Replaced cookie hadoop.auth=""<REDACTED>"" for domain host-10-17-81-194.coe.cloudera.com, path /, expire 1438279275
< Set-Cookie: hadoop.auth="<REDACTED>"; Path=/; Domain=host-10-17-81-194.coe.cloudera.com; Expires=Thu, 30-Jul-2015 18:01:15 GMT; HttpOnly
* Added cookie JSESSIONID="267D1BB9F7B8D512D35E35DF95BCF263" for domain host-10-17-81-194.coe.cloudera.com, path /oozie, expire 0
< Set-Cookie: JSESSIONID=267D1BB9F7B8D512D35E35DF95BCF263; Path=/oozie
< Content-Type: text/html
< Content-Length: 3754
< Date: Thu, 30 Jul 2015 08:01:15 GMT
<
{noformat}
> Oozie Web UI doesn't work with Kerberos in Internet Explorer 10 or 11 and curl
> ------------------------------------------------------------------------------
>
> Key: OOZIE-2322
> URL: https://issues.apache.org/jira/browse/OOZIE-2322
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 4.2.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
> Attachments: OOZIE-2322.001.patch
>
>
> We see that the Oozie Web UI wasn't working from Internet Explorer 10 or 11, and also curl when Kerberos was turned on. It worked fine in IE 8/9, Chrome, and Firefox though.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)