[
https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15188097#comment-15188097
]
Robert Kanter commented on HADOOP-10301:
----------------------------------------
This breaks how the Oozie Client was checking for expired auth tokens
(OOZIE-2485). I was looking into something related, and saw that when using
Kerberos and an expired auth token, Oozie Client wasn't getting a new token.
I didn't notice this problem until I really dug into the code because the Oozie
client commands would still succeed, it would always just log a warning in the
Oozie Server from hadoop-auth about the token, and use Kerberos.
After a lot of debugging, I figured out the cause. Currently, Oozie does this
in {{AuthOozieClient}} to determine if a token has expired:
{code:java}
if (currentToken.isSet()) {
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("OPTIONS");
AuthenticatedURL.injectToken(conn, currentToken);
if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
AUTH_TOKEN_CACHE_FILE.delete();
currentToken = new AuthenticatedURL.Token();
}
}
{code}
Previously, the response code would be 401 when the token expired. Oozie
Client would clear out {{currentToken}} and some later code would get a new one
after using the {{KerberosAuthenticator}}. However, it's now 200 here and
returns a new token (in the header) after successfully doing SPNEGO without
(Oozie explicitly) calling the {{KerberosAuthenticator}} at all. To fix this,
Oozie has to modify the above to do this:
{code:java}
if (currentToken.isSet()) {
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("OPTIONS");
AuthenticatedURL.injectToken(conn, currentToken);
if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
AUTH_TOKEN_CACHE_FILE.delete();
currentToken = new AuthenticatedURL.Token();
} else {
try {
AuthenticatedURL.extractToken(conn, currentToken);
} catch (AuthenticationException ex) {
AUTH_TOKEN_CACHE_FILE.delete();
currentToken = new AuthenticatedURL.Token();
}
}
{code}
Here it will try to extract the new token if one was given using
{{AuthenticatedURL.extractToken}}, which will update {{currentToken}}.
> AuthenticationFilter should return Forbidden for failed authentication
> ----------------------------------------------------------------------
>
> Key: HADOOP-10301
> URL: https://issues.apache.org/jira/browse/HADOOP-10301
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Fix For: 2.4.0
>
> Attachments: HADOOP-10301.branch-23.patch,
> HADOOP-10301.branch-23.patch, HADOOP-10301.patch, HADOOP-10301.patch,
> HADOOP-10301.patch
>
>
> The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a
> WWW-Authenticate headers. The is illegal per the HTTP RPC and causes a NPE
> in the HttpUrlConnection.
> This is half of a fix that affects webhdfs. See HDFS-4564.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
