[jira] [Commented] (HADOOP-10301) AuthenticationFilter should return Forbidden for failed authentication

Fri, 31 Jan 2014 13:07:36 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13888166#comment-13888166
 ] 

Daryn Sharp commented on HADOOP-10301:
--------------------------------------

The 0.23 patch causes problems for oozie's use of auth cookies.  Oozie caches 
the cookies on the local fs until they are invalid and expects fallback to 
spnego to occur.

Currently, an uncaught AuthenticationException in a servlet sends the client an 
illegal 401 with no WWW-Authenticate header.  The existing behavior:
# 2.x catches and ignores AuthenticationException while validating auth cookies 
- expired, wrong secret, wrong type, etc.  A valid 401 + negotiate header is 
sent to trigger spnego.  No problem here.
# 0.23 does *not* catch AuthenticationException while validating auth cookies.  
Servlet returns an illegal 401 with no auth header causing a client NPE.
# Neither 2.x nor 0.23 catch AuthenticationExceptions if spnego fails or proxy 
authorization fails.  Servlet returns an illegal 401.  Client NPE.

These patches fix all these issues by converting uncaught 
AuthenticationExceptions from 401 to 403 Forbidden which is entirely 
appropriate for #3.  However, for 0.23 (#2), the client does not revert to 
spnego for invalid auth cookies.  I'm studying AuthenticatedURL to see how the 
invalid 401 ever could have worked for oozie.  There's a tangle of issues with 
how webhdfs vs. oozie expects this to work that I'm investigating.


> AuthenticationFilter should return Forbidden for failed authentication
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-10301
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10301
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-10301.branch-23.patch, HADOOP-10301.patch
>
>
> The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a 
> WWW-Authenticate headers.  The is illegal per the HTTP RPC and causes a NPE 
> in the HttpUrlConnection.
> This is half of a fix that affects webhdfs.  See HDFS-4564.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to