[jira] [Resolved] (IMPALA-9001) Fix SPNEGO for requests with no "Authorization"

Fri, 04 Oct 2019 14:38:40 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-9001?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Tauber-Marshall resolved IMPALA-9001.
--------------------------------------------
    Fix Version/s: Impala 3.4.0
       Resolution: Fixed

> Fix SPNEGO for requests with no "Authorization"
> -----------------------------------------------
>
>                 Key: IMPALA-9001
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9001
>             Project: IMPALA
>          Issue Type: Bug
>    Affects Versions: Impala 3.4.0
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Critical
>             Fix For: Impala 3.4.0
>
>
> When SPNEGO was first implemented for both hs2 and the webui, the way we 
> handled requests that did not include an "Authorization" header was to pass 
> an empty string to gss-api and then return a "WWW-Authenticate: Negotiate 
> <token>" where <token> was whatever was returned by gss-api.
> This seemed to work with the clients it was originally tested with, curl and 
> Knox, but it has been found not to work with some other clients. In 
> particular, the following stack trace has been observed when using java's 
> HttpURLConnection API:
> {noformat}
> Caused by: java.lang.NullPointerException
>         at 
> sun.net.www.protocol.http.NegotiateAuthentication.nextToken(NegotiateAuthentication.java:252)
>         at 
> sun.net.www.protocol.http.NegotiateAuthentication.setHeaders(NegotiateAuthentication.java:209)
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2507)
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1719)
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
>         at 
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>         ... 20 more
> {noformat}
> Through some experimentation and by comparing our behavior with other Hadoop 
> components, I determined that sending the initial "WWW-Authenticate" with no 
> token works for all (tested) clients. This is also consistent with the 
> description of the SPNEGO protocol in this document: 
> https://tools.ietf.org/html/rfc4559#section-4.1 which states "The initial 
> WWW-Authenticate header will not carry any gssapi-data."



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to