[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-4564:
------------------------------
Attachment: HDFS-4564.branch-23.patch
Pretty straightforward patch to return 403 in the filter instead an illegal 401
when an auth failure occurs.
The webhdfs client won't unnecessarily use the flawed AuthenticatedUrl for
delegation token operations. It's unnecessary because java already handles
spnego. If spnego fails, AuthenticatedURL falls back to a pseudo authenticator
assuming spnego isn't needed - but also fails when java retries spnego and
triggers a replay attack followed by a NPE in the client.
Also had to hoist webhdfs doAs higher to ensure the correct ugi is used for the
connection.
Will attach trunk/branch-2 patch shortly.
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-4564.branch-23.patch
>
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
