[
https://issues.apache.org/jira/browse/HADOOP-14327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yuanbo Liu reassigned HADOOP-14327:
-----------------------------------
Assignee: Yuanbo Liu
> KerberosAuthenticationHandler#authenticate throws meaningless exception when
> server principals set is empty
> -----------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-14327
> URL: https://issues.apache.org/jira/browse/HADOOP-14327
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.0.0-alpha2
> Reporter: Wei-Chiu Chuang
> Assignee: Yuanbo Liu
> Priority: Minor
>
> If somehow KerberosAuthenticationHandler#authenticate gets an empty service
> principal set, it throws a useless exception like the following:
> {noformat}
> 2017-04-19 10:11:39,812 DEBUG
> org.apache.hadoop.security.authentication.server.AuthenticationFilter:
> Authentication exception:
> org.apache.hadoop.security.authentication.client.AuthenticationExceptio
> n
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> org.apache.hadoop.security.authentication.client.AuthenticationException
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:452)
> at
> org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler.authenticate(MultiSchemeAuthenticationHandler.java:193)
> at
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:400)
> at
> org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler.authenticate(MultiSchemeDelegationTokenAuthenticationHandler.java:180)
> at
> org.apache.solr.security.RequestContinuesRecorderAuthenticationHandler.authenticate(RequestContinuesRecorderAuthenticationHandler.java:69)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:532)
> {noformat}
> The following code has a logic error. If serverPrincipals is empty, token
> remains null in the end, but lastException is also null too, so throwing it
> is meaningless. It should throw with a more meaningful message.
> {code:title=KerberosAuthenticationHandler#authenticate}
> AuthenticationToken token = null;
> Exception lastException = null;
> for (String serverPrincipal : serverPrincipals) {
> try {
> token = runWithPrincipal(serverPrincipal, clientToken,
> base64, response);
> } catch (Exception ex) {
> lastException = ex;
> LOG.trace("Auth {} failed with {}", serverPrincipal, ex);
> } finally {
> if (token != null) {
> LOG.trace("Auth {} successfully", serverPrincipal);
> break;
> }
> }
> }
> if (token != null) {
> return token;
> } else {
> throw new AuthenticationException(lastException);
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
