[
https://issues.apache.org/jira/browse/KNOX-1171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Minder updated KNOX-1171:
-------------------------------
Attachment: KNOX-1171-001_v0.14.0.patch
> Handle invalid hadoop.auth cookie returned by Oozie
> ---------------------------------------------------
>
> Key: KNOX-1171
> URL: https://issues.apache.org/jira/browse/KNOX-1171
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.14.0
> Reporter: Kevin Minder
> Assignee: Kevin Minder
> Priority: Major
> Fix For: 1.1.0
>
> Attachments: KNOX-1171-001_v0.14.0.patch, KNOX-1171.patch
>
>
> There are issues with Oozie/HadoopAuth that prevent the proxying of the Oozie
> UI in secure clusters.
> The HadoopAuth issue below is preventing HttpClient from handling hadoop.auth
> token resulting in every interaction with Oozie requiring a SPNego
> authentication in a secure cluster.
> https://issues.apache.org/jira/browse/HADOOP-10710
> The Oozie issue below prevents certain Oozie resources from be accessible
> when SPNego authentication occurs. This is caused by these resources being
> authenticated twice which results in a Kerberos replay attack
> detection/failure. https://issues.apache.org/jira/browse/OOZIE-2427
> The combination of these two issues prevents the Oozie UI from being proxied
> in a secure cluster.
> The proposed solution is to enhance HadoopAuthCookieStore to handle cases
> where the cooke value isn't RFC2109 compliant by wrapping the value in double
> quotes if they are missing.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
