[
https://issues.apache.org/jira/browse/OOZIE-2322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-2322:
---------------------------------
Attachment: OOZIE-2322.001.patch
After a ridiculous amount of investigation, it turns out that OOZIE-1890
accidentally changed {{oozie.authentication.cookie.domain}} from empty string
to space in oozie-default.xml. While that seems like a minor change, it makes a
big difference. In Hadoop Configurations, an empty string gets thrown away
(i.e. conf.get("foo") == null), but whitespace becomes an empty string (i.e.
conf.get("foo") == ""), which is somewhat confusing. Anyway, this made the
default cookie domain empty string instead of (magically?) defaulting to the
hostname. This is fine for Chrome, Firefox, IE 8/9, but it breaks IE 10/11 and
curl, who are more strict so would throw away the cookie.
The patch simply sets the default value back to empty string.
curl's verbose logging was really helpful in finally finding that the cookie
domain was the problem. Here's what we see in the headers without the patch:
{noformat}
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
* skipped cookie with illegal dotcount domain:
< Set-Cookie: hadoop.auth="<REDACTED>"; Path=/; Domain= ; Expires=Thu,
30-Jul-2015 17:28:19 GMT; HttpOnly
* Added cookie JSESSIONID="8CD6FC2FEE84506094B1DC2F607C7D6C" for domain
host-10-17-81-194.coe.cloudera.com, path /oozie, expire 0
< Set-Cookie: JSESSIONID=8CD6FC2FEE84506094B1DC2F607C7D6C; Path=/oozie
< Content-Type: text/html
< Content-Length: 3754
< Date: Thu, 30 Jul 2015 07:28:19 GMT
<
{noformat}
Here's the code in the version of curl we were using, where the error message
comes from:
https://github.com/bagder/curl/blob/curl-7_19_7/lib/cookie.c#L269-L302
It's looking for a certain number of dots in the domain. Obviously, in a blank
domain, there are none.
Interestingly, newer version of curl appear to do something a bit different
here, which a slightly different error message (perhaps they've made it more
tolerant?)
https://github.com/bagder/curl/blob/master/lib/cookie.c#L468-L503
And here's with the patch:
{noformat}
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< WWW-Authenticate: Negotiate
* Added cookie hadoop.auth="" for domain host-10-17-81-194.coe.cloudera.com,
path /, expire 1
< Set-Cookie: hadoop.auth=; Path=/; Domain=host-10-17-81-194.coe.cloudera.com;
Expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly
< Content-Type: text/html;charset=utf-8
< Content-Length: 997
< Date: Thu, 30 Jul 2015 08:01:15 GMT
<
...
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
* Replaced cookie hadoop.auth=""<REDACTED>"" for domain
host-10-17-81-194.coe.cloudera.com, path /, expire 1438279275
< Set-Cookie: hadoop.auth="<REDACTED>"; Path=/;
Domain=host-10-17-81-194.coe.cloudera.com; Expires=Thu, 30-Jul-2015 18:01:15
GMT; HttpOnly
* Added cookie JSESSIONID="267D1BB9F7B8D512D35E35DF95BCF263" for domain
host-10-17-81-194.coe.cloudera.com, path /oozie, expire 0
< Set-Cookie: JSESSIONID=267D1BB9F7B8D512D35E35DF95BCF263; Path=/oozie
< Content-Type: text/html
< Content-Length: 3754
< Date: Thu, 30 Jul 2015 08:01:15 GMT
<
{noformat}
> Oozie Web UI doesn't work with Kerberos in Internet Explorer 10 or 11 and curl
> ------------------------------------------------------------------------------
>
> Key: OOZIE-2322
> URL: https://issues.apache.org/jira/browse/OOZIE-2322
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 4.2.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
> Attachments: OOZIE-2322.001.patch
>
>
> We see that the Oozie Web UI wasn't working from Internet Explorer 10 or 11,
> and also curl when Kerberos was turned on. It worked fine in IE 8/9, Chrome,
> and Firefox though.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
