[jira] [Created] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
Venkat Ranganathan created HADOOP-11837: --- Summary: After HADOOP-11754, oozie fails to stop cleanly Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Venkat Ranganathan updated HADOOP-11837: Attachment: HADOOP-11837.patch After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11837) After HADOOP-11754, oozie fails to stop cleanly
[ https://issues.apache.org/jira/browse/HADOOP-11837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14497454#comment-14497454 ] Venkat Ranganathan commented on HADOOP-11837: - Thanks [~wheat9] for the quick review. Not sure I understand your comment. HttpServer2 creates a new instance of the signer provider using constructSecretProvider and will destroy that object. AuthenticationFilter instance is not exposed to others. Why would you need a flag to protect the private instance in the destroy method. After HADOOP-11754, oozie fails to stop cleanly --- Key: HADOOP-11837 URL: https://issues.apache.org/jira/browse/HADOOP-11837 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.7.0 Reporter: Venkat Ranganathan Assignee: Venkat Ranganathan Priority: Blocker Fix For: 2.7.0 Attachments: HADOOP-11837.patch After HADOOP-11754, AuthenticationFilter has to be enhanced to destroy to secret provider. Else, products like Oozie which extend the AuthenticationFilter fail to stop -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-10710) hadoop.auth cookie is not properly constructed according to RFC2109
[
https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14079302#comment-14079302
]
Venkat Ranganathan commented on HADOOP-10710:
-
[~tucu00] Yes. With the fixes in HADOOP-10710, Oozie console in a secure
cluster is functional.
hadoop.auth cookie is not properly constructed according to RFC2109
---
Key: HADOOP-10710
URL: https://issues.apache.org/jira/browse/HADOOP-10710
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.4.0
Reporter: Alejandro Abdelnur
Assignee: Juan Yu
Fix For: 2.5.0
Attachments: HADOOP-10710.001.patch, HADOOP-10710.002.patch,
HADOOP-10710.003.patch, HADOOP-10710.004.patch, HADOOP-10710.005.patch,
HADOOP-10710.006.patch, HADOOP-10710.007.patch
It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are
being constructed.
Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}}
class and corresponding {{HttpServletResponse}} methods. This was taking care
of setting attributes like 'Version=1' and double-quoting the cookie value if
necessary.
HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and
setting values and attributes by hand. This is not taking care of setting
required attributes like Version and escaping the cookie value.
While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is
breaking access done using {{HtttpClient}}. I.e. Solr uses HttpClient and its
access is broken since this change.
It seems that HADOOP-10379 main objective was to set the 'secure' attribute.
Note this can be done using the {{Cookie}} API.
We should revert the cookie creation logic to use the {{Cookie}} API and take
care of the security flag via {{setSecure(boolean)}}.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HADOOP-10710) hadoop.auth cookie is not properly constructed according to RFC2109
[
https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14073520#comment-14073520
]
Venkat Ranganathan commented on HADOOP-10710:
-
Just as an additional data point, HADOOP-10379 also breaks the use of OOZIE
web console in secure clusters
hadoop.auth cookie is not properly constructed according to RFC2109
---
Key: HADOOP-10710
URL: https://issues.apache.org/jira/browse/HADOOP-10710
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.4.0
Reporter: Alejandro Abdelnur
Assignee: Juan Yu
Fix For: 2.5.0
Attachments: HADOOP-10710.001.patch, HADOOP-10710.002.patch,
HADOOP-10710.003.patch, HADOOP-10710.004.patch, HADOOP-10710.005.patch,
HADOOP-10710.006.patch, HADOOP-10710.007.patch
It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are
being constructed.
Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}}
class and corresponding {{HttpServletResponse}} methods. This was taking care
of setting attributes like 'Version=1' and double-quoting the cookie value if
necessary.
HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and
setting values and attributes by hand. This is not taking care of setting
required attributes like Version and escaping the cookie value.
While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is
breaking access done using {{HtttpClient}}. I.e. Solr uses HttpClient and its
access is broken since this change.
It seems that HADOOP-10379 main objective was to set the 'secure' attribute.
Note this can be done using the {{Cookie}} API.
We should revert the cookie creation logic to use the {{Cookie}} API and take
care of the security flag via {{setSecure(boolean)}}.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
