[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020647#comment-15020647 ] Steve Loughran commented on HADOOP-12050: - This patch prevents a 2.8.0 client submitting work to a secure Hadoop 2.6/2.7 cluster. HADOOP-12587 covers the issue: it's going to need fixing before any release > Enable MaxInactiveInterval for hadoop http auth token > - > > Key: HADOOP-12050 > URL: https://issues.apache.org/jira/browse/HADOOP-12050 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.7.1 >Reporter: Benoy Antony >Assignee: hzlu > Fix For: 2.8.0, 3.0.0 > > Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch > > > During http authentication, a cookie which contains the authentication token > is dropped. The expiry time of the authentication token can be configured via > hadoop.http.authentication.token.validity. The default value is 10 hours. > For clusters which require enhanced security, it is desirable to have a > configurable MaxInActiveInterval for the authentication token. If there is no > activity during MaxInActiveInterval, the authentication token will be > invalidated. > The MaxInActiveInterval will be less than > hadoop.http.authentication.token.validity. The default value will be 30 > minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[
https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014453#comment-15014453
]
Vinod Kumar Vavilapalli commented on HADOOP-12050:
--
[~hzlu] / [~benoyantony], the configuration property introduced here doesn't
follow our usual conventions (which I concede are not documented in writing).
But can we rename this from
{{hadoop.http.authentication.token.MaxInactiveInterval}} to
{{hadoop.http.authentication.token.max-inactive-interval}}? If you agree, we
can get it fixed.
> Enable MaxInactiveInterval for hadoop http auth token
> -
>
> Key: HADOOP-12050
> URL: https://issues.apache.org/jira/browse/HADOOP-12050
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
>Affects Versions: 2.7.1
>Reporter: Benoy Antony
>Assignee: hzlu
> Fix For: 2.8.0, 3.0.0
>
> Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch
>
>
> During http authentication, a cookie which contains the authentication token
> is dropped. The expiry time of the authentication token can be configured via
> hadoop.http.authentication.token.validity. The default value is 10 hours.
> For clusters which require enhanced security, it is desirable to have a
> configurable MaxInActiveInterval for the authentication token. If there is no
> activity during MaxInActiveInterval, the authentication token will be
> invalidated.
> The MaxInActiveInterval will be less than
> hadoop.http.authentication.token.validity. The default value will be 30
> minutes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014579#comment-15014579 ] Benoy Antony commented on HADOOP-12050: --- Sure, we can change the property name to follow the conventions. Please let me know if you want me to open a jira and change it > Enable MaxInactiveInterval for hadoop http auth token > - > > Key: HADOOP-12050 > URL: https://issues.apache.org/jira/browse/HADOOP-12050 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.7.1 >Reporter: Benoy Antony >Assignee: hzlu > Fix For: 2.8.0, 3.0.0 > > Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch > > > During http authentication, a cookie which contains the authentication token > is dropped. The expiry time of the authentication token can be configured via > hadoop.http.authentication.token.validity. The default value is 10 hours. > For clusters which require enhanced security, it is desirable to have a > configurable MaxInActiveInterval for the authentication token. If there is no > activity during MaxInActiveInterval, the authentication token will be > invalidated. > The MaxInActiveInterval will be less than > hadoop.http.authentication.token.validity. The default value will be 30 > minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14702876#comment-14702876 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Yarn-trunk #1022 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/1022/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14702885#comment-14702885 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #292 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/292/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703299#comment-14703299 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Hdfs-trunk #2219 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/2219/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703342#comment-14703342 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Mapreduce-trunk #2238 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2238/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703373#comment-14703373 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #289 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/289/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703309#comment-14703309 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Hdfs-trunk-Java8 #281 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/281/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14701970#comment-14701970 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-trunk-Commit #8318 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/8318/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14699961#comment-14699961 ] Benoy Antony commented on HADOOP-12050: --- Looks good, +1. If there are no other comments, I'll commit this tomorrow. Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[
https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14630672#comment-14630672
]
Hadoop QA commented on HADOOP-12050:
\\
\\
| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch | 22m 4s | Pre-patch trunk compilation is
healthy. |
| {color:green}+1{color} | @author | 0m 0s | The patch does not contain any
@author tags. |
| {color:green}+1{color} | tests included | 0m 0s | The patch appears to
include 1 new or modified test files. |
| {color:green}+1{color} | javac | 8m 22s | There were no new javac warning
messages. |
| {color:green}+1{color} | javadoc | 10m 18s | There were no new javadoc
warning messages. |
| {color:green}+1{color} | release audit | 0m 21s | The applied patch does
not increase the total number of release audit warnings. |
| {color:green}+1{color} | site | 3m 1s | Site still builds. |
| {color:green}+1{color} | checkstyle | 1m 38s | There were no new checkstyle
issues. |
| {color:green}+1{color} | whitespace | 0m 1s | The patch has no lines that
end in whitespace. |
| {color:green}+1{color} | install | 1m 28s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse | 0m 34s | The patch built with
eclipse:eclipse. |
| {color:green}+1{color} | findbugs | 2m 48s | The patch does not introduce
any new Findbugs (version 3.0.0) warnings. |
| {color:green}+1{color} | common tests | 5m 13s | Tests passed in
hadoop-auth. |
| {color:green}+1{color} | common tests | 22m 49s | Tests passed in
hadoop-common. |
| | | 78m 40s | |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12745724/HADOOP-12050.004.patch
|
| Optional Tests | javadoc javac unit findbugs checkstyle site |
| git revision | trunk / ee36f4f |
| hadoop-auth test log |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/artifact/patchprocess/testrun_hadoop-auth.txt
|
| hadoop-common test log |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/artifact/patchprocess/testrun_hadoop-common.txt
|
| Test Results |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf907.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/console |
This message was automatically generated.
Enable MaxInactiveInterval for hadoop http auth token
-
Key: HADOOP-12050
URL: https://issues.apache.org/jira/browse/HADOOP-12050
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 3.0.0
Reporter: Benoy Antony
Assignee: hzlu
Fix For: 3.0.0
Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch
During http authentication, a cookie which contains the authentication token
is dropped. The expiry time of the authentication token can be configured via
hadoop.http.authentication.token.validity. The default value is 10 hours.
For clusters which require enhanced security, it is desirable to have a
configurable MaxInActiveInterval for the authentication token. If there is no
activity during MaxInActiveInterval, the authentication token will be
invalidated.
The MaxInActiveInterval will be less than
hadoop.http.authentication.token.validity. The default value will be 30
minutes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[
https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14625293#comment-14625293
]
Benoy Antony commented on HADOOP-12050:
---
I have the following review comments on this patch
1. The token is updated after signing the token. This is not correct.
{code}
if (!newToken !token.isExpired()
token != AuthenticationToken.ANONYMOUS
!isCookiePersistent()
getMaxInactiveInterval() 0) {
String signedToken = signer.sign(token.toString());
token.setMaxInactives(System.currentTimeMillis()
+ getMaxInactiveInterval() * 1000);
createAuthCookie(httpResponse, signedToken, getCookieDomain(),
getCookiePath(), token.getExpires(),
isCookiePersistent(), isHttps);
}
{code}
2. There is some code duplication between the above code block and the block
before it . Please refactor so that code duplication is minimized.
Enable MaxInactiveInterval for hadoop http auth token
-
Key: HADOOP-12050
URL: https://issues.apache.org/jira/browse/HADOOP-12050
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 3.0.0
Reporter: Benoy Antony
Assignee: hzlu
Fix For: 3.0.0
Attachments: HADOOP-12050.003.patch
During http authentication, a cookie which contains the authentication token
is dropped. The expiry time of the authentication token can be configured via
hadoop.http.authentication.token.validity. The default value is 10 hours.
For clusters which require enhanced security, it is desirable to have a
configurable MaxInActiveInterval for the authentication token. If there is no
activity during MaxInActiveInterval, the authentication token will be
invalidated.
The MaxInActiveInterval will be less than
hadoop.http.authentication.token.validity. The default value will be 30
minutes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[
https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14623179#comment-14623179
]
Hadoop QA commented on HADOOP-12050:
\\
\\
| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch | 15m 33s | Pre-patch trunk compilation is
healthy. |
| {color:green}+1{color} | @author | 0m 0s | The patch does not contain any
@author tags. |
| {color:green}+1{color} | tests included | 0m 0s | The patch appears to
include 1 new or modified test files. |
| {color:green}+1{color} | javac | 7m 36s | There were no new javac warning
messages. |
| {color:green}+1{color} | javadoc | 9m 34s | There were no new javadoc
warning messages. |
| {color:green}+1{color} | release audit | 0m 23s | The applied patch does
not increase the total number of release audit warnings. |
| {color:green}+1{color} | checkstyle | 0m 22s | There were no new checkstyle
issues. |
| {color:green}+1{color} | whitespace | 0m 0s | The patch has no lines that
end in whitespace. |
| {color:green}+1{color} | install | 1m 21s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse | 0m 33s | The patch built with
eclipse:eclipse. |
| {color:green}+1{color} | findbugs | 0m 42s | The patch does not introduce
any new Findbugs (version 3.0.0) warnings. |
| {color:green}+1{color} | common tests | 5m 18s | Tests passed in
hadoop-auth. |
| | | 41m 25s | |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12744859/HADOOP-12050.003.patch
|
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / 47f4c54 |
| hadoop-auth test log |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7238/artifact/patchprocess/testrun_hadoop-auth.txt
|
| Test Results |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7238/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7238/console |
This message was automatically generated.
Enable MaxInactiveInterval for hadoop http auth token
-
Key: HADOOP-12050
URL: https://issues.apache.org/jira/browse/HADOOP-12050
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 3.0.0
Reporter: Benoy Antony
Assignee: hzlu
Fix For: 3.0.0
Attachments: HADOOP-12050.002.patch, HADOOP-12050.003.patch
During http authentication, a cookie which contains the authentication token
is dropped. The expiry time of the authentication token can be configured via
hadoop.http.authentication.token.validity. The default value is 10 hours.
For clusters which require enhanced security, it is desirable to have a
configurable MaxInActiveInterval for the authentication token. If there is no
activity during MaxInActiveInterval, the authentication token will be
invalidated.
The MaxInActiveInterval will be less than
hadoop.http.authentication.token.validity. The default value will be 30
minutes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[
https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14601931#comment-14601931
]
Hadoop QA commented on HADOOP-12050:
\\
\\
| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch | 15m 8s | Pre-patch trunk compilation is
healthy. |
| {color:green}+1{color} | @author | 0m 0s | The patch does not contain any
@author tags. |
| {color:green}+1{color} | tests included | 0m 0s | The patch appears to
include 1 new or modified test files. |
| {color:green}+1{color} | javac | 7m 30s | There were no new javac warning
messages. |
| {color:green}+1{color} | javadoc | 9m 39s | There were no new javadoc
warning messages. |
| {color:green}+1{color} | release audit | 0m 21s | The applied patch does
not increase the total number of release audit warnings. |
| {color:green}+1{color} | checkstyle | 0m 21s | There were no new checkstyle
issues. |
| {color:green}+1{color} | whitespace | 0m 0s | The patch has no lines that
end in whitespace. |
| {color:green}+1{color} | install | 1m 34s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse | 0m 34s | The patch built with
eclipse:eclipse. |
| {color:green}+1{color} | findbugs | 0m 42s | The patch does not introduce
any new Findbugs (version 3.0.0) warnings. |
| {color:green}+1{color} | common tests | 5m 19s | Tests passed in
hadoop-auth. |
| | | 41m 11s | |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12741920/HADOOP-12050.002.patch
|
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / aa5b15b |
| hadoop-auth test log |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7042/artifact/patchprocess/testrun_hadoop-auth.txt
|
| Test Results |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7042/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf906.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7042/console |
This message was automatically generated.
Enable MaxInactiveInterval for hadoop http auth token
-
Key: HADOOP-12050
URL: https://issues.apache.org/jira/browse/HADOOP-12050
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 3.0.0
Reporter: Benoy Antony
Assignee: hzlu
Fix For: 3.0.0
Attachments: HADOOP-12050.002.patch
During http authentication, a cookie which contains the authentication token
is dropped. The expiry time of the authentication token can be configured via
hadoop.http.authentication.token.validity. The default value is 10 hours.
For clusters which require enhanced security, it is desirable to have a
configurable MaxInActiveInterval for the authentication token. If there is no
activity during MaxInActiveInterval, the authentication token will be
invalidated.
The MaxInActiveInterval will be less than
hadoop.http.authentication.token.validity. The default value will be 30
minutes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14602193#comment-14602193 ] hzlu commented on HADOOP-12050: --- No problem. Will do. On Thu, Jun 25, 2015 at 5:05 PM, Benoy Antony (JIRA) j...@apache.org Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.002.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14602158#comment-14602158 ] Benoy Antony commented on HADOOP-12050: --- Thanks for working on this, [~hzlu] . A few comments on the patch. 1. Please add test cases to test the following scenarios a. Both expiry period and InActiveInterval are not reached. b. Expiry period is reached, InActiveInterval is not reached c. Expiry period is not reached, InActiveInterval is reached d. Both expiry period and InActiveInterval are reached. 2. Update the http auth documentation with enhancements introduced in HADOOP-12049 and HADOOP-12050. 3. A nit: change maxInactive to maxInActive (camel case). Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.002.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[
https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14587107#comment-14587107
]
Hadoop QA commented on HADOOP-12050:
\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch | 22m 2s | Pre-patch trunk compilation is
healthy. |
| {color:green}+1{color} | @author | 0m 0s | The patch does not contain any
@author tags. |
| {color:green}+1{color} | tests included | 0m 0s | The patch appears to
include 3 new or modified test files. |
| {color:green}+1{color} | javac | 9m 8s | There were no new javac warning
messages. |
| {color:red}-1{color} | javadoc | 11m 26s | The applied patch generated 2
additional warning messages. |
| {color:green}+1{color} | release audit | 0m 23s | The applied patch does
not increase the total number of release audit warnings. |
| {color:red}-1{color} | checkstyle | 1m 7s | The applied patch generated
20 new checkstyle issues (total was 68, now 88). |
| {color:red}-1{color} | whitespace | 0m 1s | The patch has 1 line(s) that
end in whitespace. Use git apply --whitespace=fix. |
| {color:green}+1{color} | install | 1m 35s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse | 0m 32s | The patch built with
eclipse:eclipse. |
| {color:green}+1{color} | findbugs | 2m 33s | The patch does not introduce
any new Findbugs (version 3.0.0) warnings. |
| {color:red}-1{color} | common tests | 5m 18s | Tests failed in hadoop-auth.
|
| {color:red}-1{color} | common tests | 37m 52s | Tests failed in
hadoop-common. |
| | | 92m 23s | |
\\
\\
|| Reason || Tests ||
| Failed unit tests |
hadoop.security.authentication.server.TestAuthenticationFilter |
| Timed out tests | org.apache.hadoop.http.TestAuthenticationSessionCookie |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12739440/Enable-MaxInactiveInterval-for-hadoop-http-auth-toke.patch
|
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / 04c9a07 |
| javadoc |
https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/diffJavadocWarnings.txt
|
| checkstyle |
https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/diffcheckstylehadoop-auth.txt
|
| whitespace |
https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/whitespace.txt
|
| hadoop-auth test log |
https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/testrun_hadoop-auth.txt
|
| hadoop-common test log |
https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/testrun_hadoop-common.txt
|
| Test Results |
https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output |
https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/console |
This message was automatically generated.
Enable MaxInactiveInterval for hadoop http auth token
-
Key: HADOOP-12050
URL: https://issues.apache.org/jira/browse/HADOOP-12050
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 3.0.0
Reporter: Benoy Antony
Assignee: hzlu
Fix For: 3.0.0
Attachments:
Enable-MaxInactiveInterval-for-hadoop-http-auth-toke.patch
During http authentication, a cookie which contains the authentication token
is dropped. The expiry time of the authentication token can be configured via
hadoop.http.authentication.token.validity. The default value is 10 hours.
For clusters which require enhanced security, it is desirable to have a
configurable MaxInActiveInterval for the authentication token. If there is no
activity during MaxInActiveInterval, the authentication token will be
invalidated.
The MaxInActiveInterval will be less than
hadoop.http.authentication.token.validity. The default value will be 30
minutes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
