[
https://issues.apache.org/jira/browse/HADOOP-18120?focusedWorklogId=769493&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-769493
]
ASF GitHub Bot logged work on HADOOP-18120:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 12/May/22 09:00
Start Date: 12/May/22 09:00
Worklog Time Spent: 10m
Work Description: jacktheone commented on code in PR #4300:
URL: https://github.com/apache/hadoop/pull/4300#discussion_r871128264
##########
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestKerberosAuthenticator.java:
##########
@@ -248,4 +255,86 @@ public void testWrapExceptionWithMessage() {
Assert.assertTrue(ex.equals(ex2));
}
+ @Test(timeout = 60000)
+ public void testNegotiate() throws NoSuchMethodException,
InvocationTargetException,
+ IllegalAccessException, IOException {
+ KerberosAuthenticator kerberosAuthenticator = new KerberosAuthenticator();
+
+ HttpURLConnection conn = Mockito.mock(HttpURLConnection.class);
+ Mockito.when(conn.getHeaderField(KerberosAuthenticator.WWW_AUTHENTICATE)).
+ thenReturn(KerberosAuthenticator.NEGOTIATE);
+
Mockito.when(conn.getResponseCode()).thenReturn(HttpURLConnection.HTTP_UNAUTHORIZED);
+
+ Method method =
KerberosAuthenticator.class.getDeclaredMethod("isNegotiate",
+ HttpURLConnection.class);
+ method.setAccessible(true);
+
+ Assert.assertTrue((boolean)method.invoke(kerberosAuthenticator, conn));
+ }
+
+ @Test(timeout = 60000)
+ public void testNegotiateLowerCase() throws NoSuchMethodException,
InvocationTargetException,
+ IllegalAccessException, IOException {
+ KerberosAuthenticator kerberosAuthenticator = new KerberosAuthenticator();
+
+ HttpURLConnection conn = Mockito.mock(HttpURLConnection.class);
+ Mockito.when(conn.getHeaderField("www-authenticate"))
+ .thenReturn(KerberosAuthenticator.NEGOTIATE);
+
Mockito.when(conn.getResponseCode()).thenReturn(HttpURLConnection.HTTP_UNAUTHORIZED);
+
+ Method method =
KerberosAuthenticator.class.getDeclaredMethod("isNegotiate",
+ HttpURLConnection.class);
+ method.setAccessible(true);
+
+ Assert.assertTrue((boolean)method.invoke(kerberosAuthenticator, conn));
+ }
+
+ @Test(timeout = 60000)
+ public void testReadToken() throws NoSuchMethodException, IOException,
IllegalAccessException {
+ KerberosAuthenticator kerberosAuthenticator = new KerberosAuthenticator();
+ FieldUtils.writeField(kerberosAuthenticator, "base64", new Base64(), true);
+
+ Base64 base64 = new Base64();
+
+ HttpURLConnection conn = Mockito.mock(HttpURLConnection.class);
+
Mockito.when(conn.getResponseCode()).thenReturn(HttpURLConnection.HTTP_UNAUTHORIZED);
+ Mockito.when(conn.getHeaderField(KerberosAuthenticator.WWW_AUTHENTICATE))
+ .thenReturn(KerberosAuthenticator.NEGOTIATE + " " +
+ Arrays.toString(base64.encode("foobar".getBytes())));
+
+ Method method = KerberosAuthenticator.class.getDeclaredMethod("readToken",
+ HttpURLConnection.class);
+ method.setAccessible(true);
+
+ try {
+ method.invoke(kerberosAuthenticator, conn);
+ } catch (Exception e) {
+ Assert.fail("readToken() method should not have thrown any exception" +
e);
+ }
Review Comment:
Done
##########
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestKerberosAuthenticator.java:
##########
@@ -248,4 +255,86 @@ public void testWrapExceptionWithMessage() {
Assert.assertTrue(ex.equals(ex2));
}
+ @Test(timeout = 60000)
+ public void testNegotiate() throws NoSuchMethodException,
InvocationTargetException,
+ IllegalAccessException, IOException {
+ KerberosAuthenticator kerberosAuthenticator = new KerberosAuthenticator();
+
+ HttpURLConnection conn = Mockito.mock(HttpURLConnection.class);
+ Mockito.when(conn.getHeaderField(KerberosAuthenticator.WWW_AUTHENTICATE)).
+ thenReturn(KerberosAuthenticator.NEGOTIATE);
+
Mockito.when(conn.getResponseCode()).thenReturn(HttpURLConnection.HTTP_UNAUTHORIZED);
+
+ Method method =
KerberosAuthenticator.class.getDeclaredMethod("isNegotiate",
+ HttpURLConnection.class);
+ method.setAccessible(true);
+
+ Assert.assertTrue((boolean)method.invoke(kerberosAuthenticator, conn));
+ }
+
+ @Test(timeout = 60000)
+ public void testNegotiateLowerCase() throws NoSuchMethodException,
InvocationTargetException,
+ IllegalAccessException, IOException {
+ KerberosAuthenticator kerberosAuthenticator = new KerberosAuthenticator();
+
+ HttpURLConnection conn = Mockito.mock(HttpURLConnection.class);
+ Mockito.when(conn.getHeaderField("www-authenticate"))
+ .thenReturn(KerberosAuthenticator.NEGOTIATE);
+
Mockito.when(conn.getResponseCode()).thenReturn(HttpURLConnection.HTTP_UNAUTHORIZED);
+
+ Method method =
KerberosAuthenticator.class.getDeclaredMethod("isNegotiate",
+ HttpURLConnection.class);
+ method.setAccessible(true);
+
+ Assert.assertTrue((boolean)method.invoke(kerberosAuthenticator, conn));
+ }
+
+ @Test(timeout = 60000)
+ public void testReadToken() throws NoSuchMethodException, IOException,
IllegalAccessException {
+ KerberosAuthenticator kerberosAuthenticator = new KerberosAuthenticator();
+ FieldUtils.writeField(kerberosAuthenticator, "base64", new Base64(), true);
+
+ Base64 base64 = new Base64();
+
+ HttpURLConnection conn = Mockito.mock(HttpURLConnection.class);
+
Mockito.when(conn.getResponseCode()).thenReturn(HttpURLConnection.HTTP_UNAUTHORIZED);
+ Mockito.when(conn.getHeaderField(KerberosAuthenticator.WWW_AUTHENTICATE))
+ .thenReturn(KerberosAuthenticator.NEGOTIATE + " " +
+ Arrays.toString(base64.encode("foobar".getBytes())));
+
+ Method method = KerberosAuthenticator.class.getDeclaredMethod("readToken",
+ HttpURLConnection.class);
+ method.setAccessible(true);
+
+ try {
+ method.invoke(kerberosAuthenticator, conn);
+ } catch (Exception e) {
+ Assert.fail("readToken() method should not have thrown any exception" +
e);
+ }
+ }
+
+ @Test(timeout = 60000)
+ public void testReadTokenLowerCase() throws NoSuchMethodException,
IOException,
+ IllegalAccessException {
+ KerberosAuthenticator kerberosAuthenticator = new KerberosAuthenticator();
+ FieldUtils.writeField(kerberosAuthenticator, "base64", new Base64(), true);
+
+ Base64 base64 = new Base64();
+
+ HttpURLConnection conn = Mockito.mock(HttpURLConnection.class);
+
Mockito.when(conn.getResponseCode()).thenReturn(HttpURLConnection.HTTP_UNAUTHORIZED);
+ Mockito.when(conn.getHeaderField("www-authenticate"))
+ .thenReturn(KerberosAuthenticator.NEGOTIATE +
+ Arrays.toString(base64.encode("foobar".getBytes())));
+
+ Method method = KerberosAuthenticator.class.getDeclaredMethod("readToken",
+ HttpURLConnection.class);
+ method.setAccessible(true);
+
+ try {
+ method.invoke(kerberosAuthenticator, conn);
+ } catch (Exception e) {
+ Assert.fail("readToken() method should not have thrown any exception" +
e);
+ }
Review Comment:
Done
Issue Time Tracking
-------------------
Worklog Id: (was: 769493)
Time Spent: 50m (was: 40m)
> Hadoop auth does not handle HTTP Headers in a case-insensitive way
> ------------------------------------------------------------------
>
> Key: HADOOP-18120
> URL: https://issues.apache.org/jira/browse/HADOOP-18120
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: Daniel Fritsi
> Priority: Critical
> Labels: pull-request-available
> Attachments: HADOOP-18120-002.patch, HADOOP-18120-003.patch,
> HADOOP-18120.patch
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> According to [RFC-2616|https://www.ietf.org/rfc/rfc2616.txt] HTTP Headers are
> case-insensitive. There are proxies / load balancers (e.g.: newer versions of
> HA-proxy) which deliberately make some of the HTTP headers lower-case results
> in an authentication / authorization failure inside the Hadoop codebase.
> I've created a small patch (I'm from Cloudera):
> [^hadoop-auth-headers.patch]. This resolves our authentication issue. Can
> someone please have a look at this?
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
