[ https://issues.apache.org/jira/browse/HADOOP-14327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yuanbo Liu reassigned HADOOP-14327: ----------------------------------- Assignee: Yuanbo Liu > KerberosAuthenticationHandler#authenticate throws meaningless exception when > server principals set is empty > ----------------------------------------------------------------------------------------------------------- > > Key: HADOOP-14327 > URL: https://issues.apache.org/jira/browse/HADOOP-14327 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 3.0.0-alpha2 > Reporter: Wei-Chiu Chuang > Assignee: Yuanbo Liu > Priority: Minor > > If somehow KerberosAuthenticationHandler#authenticate gets an empty service > principal set, it throws a useless exception like the following: > {noformat} > 2017-04-19 10:11:39,812 DEBUG > org.apache.hadoop.security.authentication.server.AuthenticationFilter: > Authentication exception: > org.apache.hadoop.security.authentication.client.AuthenticationExceptio > n > org.apache.hadoop.security.authentication.client.AuthenticationException: > org.apache.hadoop.security.authentication.client.AuthenticationException > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:452) > at > org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler.authenticate(MultiSchemeAuthenticationHandler.java:193) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:400) > at > org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler.authenticate(MultiSchemeDelegationTokenAuthenticationHandler.java:180) > at > org.apache.solr.security.RequestContinuesRecorderAuthenticationHandler.authenticate(RequestContinuesRecorderAuthenticationHandler.java:69) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:532) > {noformat} > The following code has a logic error. If serverPrincipals is empty, token > remains null in the end, but lastException is also null too, so throwing it > is meaningless. It should throw with a more meaningful message. > {code:title=KerberosAuthenticationHandler#authenticate} > AuthenticationToken token = null; > Exception lastException = null; > for (String serverPrincipal : serverPrincipals) { > try { > token = runWithPrincipal(serverPrincipal, clientToken, > base64, response); > } catch (Exception ex) { > lastException = ex; > LOG.trace("Auth {} failed with {}", serverPrincipal, ex); > } finally { > if (token != null) { > LOG.trace("Auth {} successfully", serverPrincipal); > break; > } > } > } > if (token != null) { > return token; > } else { > throw new AuthenticationException(lastException); > } > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org