[jira] [Created] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
Venkat Ranganathan created HADOOP-11837: --- Summary: After HADOOP-11754, oozie fails to stop cleanly Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Venkat Ranganathan updated HADOOP-11837: Attachment: HADOOP-11837.patch After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14497454#comment-14497454 ] Venkat Ranganathan commented on HADOOP-11837: - Thanks [~wheat9] for the quick review. Not sure I understand your comment. HttpServer2 creates a new instance of the signer provider using constructSecretProvider and will destroy that object. AuthenticationFilter instance is not exposed to others. Why would you need a flag to protect the private instance in the destroy method. After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-10710) hadoop.auth cookie is not properly constructed according to RFC2109
[ https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14079302#comment-14079302 ] Venkat Ranganathan commented on HADOOP-10710: - [~tucu00] Yes. With the fixes in HADOOP-10710, Oozie console in a secure cluster is functional. hadoop.auth cookie is not properly constructed according to RFC2109 --- Key: HADOOP-10710 URL: https://issues.apache.org/jira/browse/HADOOP-10710 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.4.0 Reporter: Alejandro Abdelnur Assignee: Juan Yu Fix For: 2.5.0 Attachments: HADOOP-10710.001.patch, HADOOP-10710.002.patch, HADOOP-10710.003.patch, HADOOP-10710.004.patch, HADOOP-10710.005.patch, HADOOP-10710.006.patch, HADOOP-10710.007.patch It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are being constructed. Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}} class and corresponding {{HttpServletResponse}} methods. This was taking care of setting attributes like 'Version=1' and double-quoting the cookie value if necessary. HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and setting values and attributes by hand. This is not taking care of setting required attributes like Version and escaping the cookie value. While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is breaking access done using {{HtttpClient}}. I.e. Solr uses HttpClient and its access is broken since this change. It seems that HADOOP-10379 main objective was to set the 'secure' attribute. Note this can be done using the {{Cookie}} API. We should revert the cookie creation logic to use the {{Cookie}} API and take care of the security flag via {{setSecure(boolean)}}. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10710) hadoop.auth cookie is not properly constructed according to RFC2109
[ https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14073520#comment-14073520 ] Venkat Ranganathan commented on HADOOP-10710: - Just as an additional data point, HADOOP-10379 also breaks the use of OOZIE web console in secure clusters hadoop.auth cookie is not properly constructed according to RFC2109 --- Key: HADOOP-10710 URL: https://issues.apache.org/jira/browse/HADOOP-10710 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.4.0 Reporter: Alejandro Abdelnur Assignee: Juan Yu Fix For: 2.5.0 Attachments: HADOOP-10710.001.patch, HADOOP-10710.002.patch, HADOOP-10710.003.patch, HADOOP-10710.004.patch, HADOOP-10710.005.patch, HADOOP-10710.006.patch, HADOOP-10710.007.patch It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are being constructed. Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}} class and corresponding {{HttpServletResponse}} methods. This was taking care of setting attributes like 'Version=1' and double-quoting the cookie value if necessary. HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and setting values and attributes by hand. This is not taking care of setting required attributes like Version and escaping the cookie value. While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is breaking access done using {{HtttpClient}}. I.e. Solr uses HttpClient and its access is broken since this change. It seems that HADOOP-10379 main objective was to set the 'secure' attribute. Note this can be done using the {{Cookie}} API. We should revert the cookie creation logic to use the {{Cookie}} API and take care of the security flag via {{setSecure(boolean)}}. -- This message was sent by Atlassian JIRA (v6.2#6252)