[jira] [Commented] (HIVE-14984) Hive-WebUI access results in Request is a replay (34) attack

Wed, 19 Oct 2016 08:50:18 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-14984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15589096#comment-15589096
 ] 

Barna Zsombor Klara commented on HIVE-14984:
--------------------------------------------

The replay attack is caused because we are trying to authenticate twice within 
a short amount of time.
It only happens when we request the context root, and authenticate ourselves in 
the AuthenticationFilter, then the request is forwarded to the welcome page 
(index.html in this case), but then the request goes through the same 
AuthenticationFilter and it is authenticated again.

As described in [HADOOP-8830|https://issues.apache.org/jira/browse/HADOOP-8830] 
a second call to the AuthenticationFilter will cause a replay attack as the 
authentication cookie is only set on the response.

I would suggest to do an URL rewriting instead of a forwarding to prevent the 
second call chain causing the second authentication request.

*As a side effect we would be serving the same page to requests for both the 
context root and hiveserver2.jsp.* 

> Hive-WebUI access results in Request is a replay (34) attack
> ------------------------------------------------------------
>
>                 Key: HIVE-14984
>                 URL: https://issues.apache.org/jira/browse/HIVE-14984
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>    Affects Versions: 1.2.0
>            Reporter: Venkat Sambath
>            Assignee: Barna Zsombor Klara
>
> When trying to access kerberized webui of HS2, The following error is received
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request 
> is a replay (34))
> While this is not happening for RM webui (checked if kerberos webui is 
> enabled)
> To reproduce the issue 
> Try running
> curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt 
> http://<hostname>:10002/
> from any cluster nodes
> or 
> Try accessing the URL from a VM with windows machine and firefox browser to 
> replicate the issue
> The following workaround helped, but need a permanent solution for the bug
> Workaround:
> =========
> First access the index.html directly and then actual URL of webui
> curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt 
> http://<hostname>:10002/index.html
> curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt 
> http://<hostname>:10002
> In browser:
> First access
> http://<hostname>:10002/index.html
> then
> http://<hostname>:10002



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to