[
https://issues.apache.org/jira/browse/IMPALA-9423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17046003#comment-17046003
]
ASF subversion and git services commented on IMPALA-9423:
---------------------------------------------------------
Commit 49774fd2e14343dbb5f32c71655f91dae6e6daac in impala's branch
refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=49774fd ]
IMPALA-9423: Add keys to cookie components
Impala's HTTP authentication cookie format is similar, but not
identical, to the format used by other Hadoop components.
This has caused us some problems when other Hadoop systems make
assumptions about the cookie format. In particular, KNOX-2223 made a
change to Apache Knox's cookie handling that works for cookies
generated by Hive and HDFS but breaks cookie handling for Impala when
requests are proxied through Knox.
This match modifies our cookie format slightly to more closely
resemble Hive and HDFS's format by adding keys to the individual
components of the cookie value, fixing the regression caused by
KNOX-2223 and hopefully reducing the probability of another such
regression being introduced in the future.
Testing:
- Ran existing cookie auth tests. Updated one test to fix an issue
introduced by IMPALA-8899 where we were no longer testing what we
thought we were.
- Manualy tested in a cluster with Apache Knox.
Change-Id: I73f37a4c4f28edf35f4b8195d3f03a2f178f3d0b
Reviewed-on: http://gerrit.cloudera.org:8080/15301
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Fix cookie auth with Knox
> -------------------------
>
> Key: IMPALA-9423
> URL: https://issues.apache.org/jira/browse/IMPALA-9423
> Project: IMPALA
> Issue Type: Bug
> Components: Clients
> Reporter: Thomas Tauber-Marshall
> Assignee: Thomas Tauber-Marshall
> Priority: Major
>
> When Apache Knox is being used to proxy connections to Impala, it used to be
> the case that Knox would return the authentication cookies generated by
> Impala, saving extra round trips and authentications to Kerberos/LDAP.
> This was broken by KNOX-2223 - Knox only returns auth cookies that it thinks
> are for it, which it determines by checking for its Kerberos principal in the
> cookie string. With KNOX-2223, the principal is expected to be preceded by a
> '=', which Impala doesn't do.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
