Thomas Tauber-Marshall has uploaded this change for review. (

Change subject: IMPALA-8869: Fix handling of HTTP keep-alive when returning 401

IMPALA-8869: Fix handling of HTTP keep-alive when returning 401

Recent work has added support for HTTP authentication both for the
thrift hs2 interface and for the webserver. In both cases, we
mishandle HTTP keep-alive semantics when returning a 401 because we
close the connection but don't return a 'Connection: close' header,
even though we're using HTTP/1.1 where keep-alive is assumed, which
can cause clients to incorrectly believe that the connection has
remained open.

For the webserver, the fix is to enable keep-alive in squeasel so
that the connection isn't closed after the 401 is returned.

For the thrift hs2 interface, we throw an exception after the 401
which results in the connection being closed because otherwise it's
tricky with the way thrift is structured to ensure that the
unauthorized request isn't processed. So, the fix here is to return a
'Connection: close' header.

- Ran existing HTTP auth tests.
- Manually tested in a cluster with connections to Impala proxied
  through Apache Knox.

Change-Id: I3d5f80dbcde5b623a1d0586b5d763a062dd21afa
M be/src/transport/THttpServer.cpp
M be/src/util/
2 files changed, 5 insertions(+), 1 deletion(-)

  git pull ssh:// refs/changes/76/14076/1
To view, visit
To unsubscribe, visit

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3d5f80dbcde5b623a1d0586b5d763a062dd21afa
Gerrit-Change-Number: 14076
Gerrit-PatchSet: 1
Gerrit-Owner: Thomas Tauber-Marshall <>

Reply via email to