[jira] [Updated] (KNOX-598) Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes HTTP 401 error (due to Kerberos Replay attack error)

Kevin Minder (JIRA) Mon, 14 Sep 2015 07:44:40 -0700

     [ 
https://issues.apache.org/jira/browse/KNOX-598?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Kevin Minder updated KNOX-598:
------------------------------
    Attachment: KNOX-598_001.patch

> Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes HTTP 401 
> error (due to Kerberos Replay attack error)
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-598
>                 URL: https://issues.apache.org/jira/browse/KNOX-598
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.4.0
>            Reporter: Kevin Minder
>            Priority: Blocker
>             Fix For: 0.7.0
>
>         Attachments: KNOX-598_001.patch
>
>
> In high concurrency scenarios the same Knox service principal can ended up 
> requesting two service tickets for HiveServer2's HTTP service principal 
> within the same microsecond. This is being detected on the HiveServer2 side 
> as a replay attack. The fix is to include some concurrency controls in Knox 
> to ensure that this cannot occur. This will introduce some minor 
> serialization but this seems unavoidable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (KNOX-598) Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes HTTP 401 error (due to Kerberos Replay attack error)

Reply via email to