[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020647#comment-15020647 ] Steve Loughran commented on HADOOP-12050: - This patch prevents a 2.8.0 client submitting work to a secure Hadoop 2.6/2.7 cluster. HADOOP-12587 covers the issue: it's going to need fixing before any release > Enable MaxInactiveInterval for hadoop http auth token > - > > Key: HADOOP-12050 > URL: https://issues.apache.org/jira/browse/HADOOP-12050 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.7.1 >Reporter: Benoy Antony >Assignee: hzlu > Fix For: 2.8.0, 3.0.0 > > Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch > > > During http authentication, a cookie which contains the authentication token > is dropped. The expiry time of the authentication token can be configured via > hadoop.http.authentication.token.validity. The default value is 10 hours. > For clusters which require enhanced security, it is desirable to have a > configurable MaxInActiveInterval for the authentication token. If there is no > activity during MaxInActiveInterval, the authentication token will be > invalidated. > The MaxInActiveInterval will be less than > hadoop.http.authentication.token.validity. The default value will be 30 > minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014453#comment-15014453 ] Vinod Kumar Vavilapalli commented on HADOOP-12050: -- [~hzlu] / [~benoyantony], the configuration property introduced here doesn't follow our usual conventions (which I concede are not documented in writing). But can we rename this from {{hadoop.http.authentication.token.MaxInactiveInterval}} to {{hadoop.http.authentication.token.max-inactive-interval}}? If you agree, we can get it fixed. > Enable MaxInactiveInterval for hadoop http auth token > - > > Key: HADOOP-12050 > URL: https://issues.apache.org/jira/browse/HADOOP-12050 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.7.1 >Reporter: Benoy Antony >Assignee: hzlu > Fix For: 2.8.0, 3.0.0 > > Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch > > > During http authentication, a cookie which contains the authentication token > is dropped. The expiry time of the authentication token can be configured via > hadoop.http.authentication.token.validity. The default value is 10 hours. > For clusters which require enhanced security, it is desirable to have a > configurable MaxInActiveInterval for the authentication token. If there is no > activity during MaxInActiveInterval, the authentication token will be > invalidated. > The MaxInActiveInterval will be less than > hadoop.http.authentication.token.validity. The default value will be 30 > minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014579#comment-15014579 ] Benoy Antony commented on HADOOP-12050: --- Sure, we can change the property name to follow the conventions. Please let me know if you want me to open a jira and change it > Enable MaxInactiveInterval for hadoop http auth token > - > > Key: HADOOP-12050 > URL: https://issues.apache.org/jira/browse/HADOOP-12050 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.7.1 >Reporter: Benoy Antony >Assignee: hzlu > Fix For: 2.8.0, 3.0.0 > > Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch > > > During http authentication, a cookie which contains the authentication token > is dropped. The expiry time of the authentication token can be configured via > hadoop.http.authentication.token.validity. The default value is 10 hours. > For clusters which require enhanced security, it is desirable to have a > configurable MaxInActiveInterval for the authentication token. If there is no > activity during MaxInActiveInterval, the authentication token will be > invalidated. > The MaxInActiveInterval will be less than > hadoop.http.authentication.token.validity. The default value will be 30 > minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14702876#comment-14702876 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Yarn-trunk #1022 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/1022/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14702885#comment-14702885 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #292 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/292/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703299#comment-14703299 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Hdfs-trunk #2219 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/2219/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703342#comment-14703342 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Mapreduce-trunk #2238 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2238/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703373#comment-14703373 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #289 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/289/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703309#comment-14703309 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-Hdfs-trunk-Java8 #281 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/281/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.1 Reporter: Benoy Antony Assignee: hzlu Fix For: 2.8.0, 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14701970#comment-14701970 ] Hudson commented on HADOOP-12050: - FAILURE: Integrated in Hadoop-trunk-Commit #8318 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/8318/]) hadoop-12050. Enable MaxInactiveInterval for hadoop http auth token. Contributed by Huizhi Lu. (benoy: rev 71aedfabf39e03104c8d22456e95ef6349aae6c0) * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/AuthToken.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java * hadoop-common-project/hadoop-common/src/site/markdown/HttpAuthentication.md * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14699961#comment-14699961 ] Benoy Antony commented on HADOOP-12050: --- Looks good, +1. If there are no other comments, I'll commit this tomorrow. Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14630672#comment-14630672 ] Hadoop QA commented on HADOOP-12050: \\ \\ | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | pre-patch | 22m 4s | Pre-patch trunk compilation is healthy. | | {color:green}+1{color} | @author | 0m 0s | The patch does not contain any @author tags. | | {color:green}+1{color} | tests included | 0m 0s | The patch appears to include 1 new or modified test files. | | {color:green}+1{color} | javac | 8m 22s | There were no new javac warning messages. | | {color:green}+1{color} | javadoc | 10m 18s | There were no new javadoc warning messages. | | {color:green}+1{color} | release audit | 0m 21s | The applied patch does not increase the total number of release audit warnings. | | {color:green}+1{color} | site | 3m 1s | Site still builds. | | {color:green}+1{color} | checkstyle | 1m 38s | There were no new checkstyle issues. | | {color:green}+1{color} | whitespace | 0m 1s | The patch has no lines that end in whitespace. | | {color:green}+1{color} | install | 1m 28s | mvn install still works. | | {color:green}+1{color} | eclipse:eclipse | 0m 34s | The patch built with eclipse:eclipse. | | {color:green}+1{color} | findbugs | 2m 48s | The patch does not introduce any new Findbugs (version 3.0.0) warnings. | | {color:green}+1{color} | common tests | 5m 13s | Tests passed in hadoop-auth. | | {color:green}+1{color} | common tests | 22m 49s | Tests passed in hadoop-common. | | | | 78m 40s | | \\ \\ || Subsystem || Report/Notes || | Patch URL | http://issues.apache.org/jira/secure/attachment/12745724/HADOOP-12050.004.patch | | Optional Tests | javadoc javac unit findbugs checkstyle site | | git revision | trunk / ee36f4f | | hadoop-auth test log | https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/artifact/patchprocess/testrun_hadoop-auth.txt | | hadoop-common test log | https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/artifact/patchprocess/testrun_hadoop-common.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/testReport/ | | Java | 1.7.0_55 | | uname | Linux asf907.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/7295/console | This message was automatically generated. Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.003.patch, HADOOP-12050.004.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14625293#comment-14625293 ] Benoy Antony commented on HADOOP-12050: --- I have the following review comments on this patch 1. The token is updated after signing the token. This is not correct. {code} if (!newToken !token.isExpired() token != AuthenticationToken.ANONYMOUS !isCookiePersistent() getMaxInactiveInterval() 0) { String signedToken = signer.sign(token.toString()); token.setMaxInactives(System.currentTimeMillis() + getMaxInactiveInterval() * 1000); createAuthCookie(httpResponse, signedToken, getCookieDomain(), getCookiePath(), token.getExpires(), isCookiePersistent(), isHttps); } {code} 2. There is some code duplication between the above code block and the block before it . Please refactor so that code duplication is minimized. Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.003.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14623179#comment-14623179 ] Hadoop QA commented on HADOOP-12050: \\ \\ | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | pre-patch | 15m 33s | Pre-patch trunk compilation is healthy. | | {color:green}+1{color} | @author | 0m 0s | The patch does not contain any @author tags. | | {color:green}+1{color} | tests included | 0m 0s | The patch appears to include 1 new or modified test files. | | {color:green}+1{color} | javac | 7m 36s | There were no new javac warning messages. | | {color:green}+1{color} | javadoc | 9m 34s | There were no new javadoc warning messages. | | {color:green}+1{color} | release audit | 0m 23s | The applied patch does not increase the total number of release audit warnings. | | {color:green}+1{color} | checkstyle | 0m 22s | There were no new checkstyle issues. | | {color:green}+1{color} | whitespace | 0m 0s | The patch has no lines that end in whitespace. | | {color:green}+1{color} | install | 1m 21s | mvn install still works. | | {color:green}+1{color} | eclipse:eclipse | 0m 33s | The patch built with eclipse:eclipse. | | {color:green}+1{color} | findbugs | 0m 42s | The patch does not introduce any new Findbugs (version 3.0.0) warnings. | | {color:green}+1{color} | common tests | 5m 18s | Tests passed in hadoop-auth. | | | | 41m 25s | | \\ \\ || Subsystem || Report/Notes || | Patch URL | http://issues.apache.org/jira/secure/attachment/12744859/HADOOP-12050.003.patch | | Optional Tests | javadoc javac unit findbugs checkstyle | | git revision | trunk / 47f4c54 | | hadoop-auth test log | https://builds.apache.org/job/PreCommit-HADOOP-Build/7238/artifact/patchprocess/testrun_hadoop-auth.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/7238/testReport/ | | Java | 1.7.0_55 | | uname | Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/7238/console | This message was automatically generated. Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.002.patch, HADOOP-12050.003.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14601931#comment-14601931 ] Hadoop QA commented on HADOOP-12050: \\ \\ | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | pre-patch | 15m 8s | Pre-patch trunk compilation is healthy. | | {color:green}+1{color} | @author | 0m 0s | The patch does not contain any @author tags. | | {color:green}+1{color} | tests included | 0m 0s | The patch appears to include 1 new or modified test files. | | {color:green}+1{color} | javac | 7m 30s | There were no new javac warning messages. | | {color:green}+1{color} | javadoc | 9m 39s | There were no new javadoc warning messages. | | {color:green}+1{color} | release audit | 0m 21s | The applied patch does not increase the total number of release audit warnings. | | {color:green}+1{color} | checkstyle | 0m 21s | There were no new checkstyle issues. | | {color:green}+1{color} | whitespace | 0m 0s | The patch has no lines that end in whitespace. | | {color:green}+1{color} | install | 1m 34s | mvn install still works. | | {color:green}+1{color} | eclipse:eclipse | 0m 34s | The patch built with eclipse:eclipse. | | {color:green}+1{color} | findbugs | 0m 42s | The patch does not introduce any new Findbugs (version 3.0.0) warnings. | | {color:green}+1{color} | common tests | 5m 19s | Tests passed in hadoop-auth. | | | | 41m 11s | | \\ \\ || Subsystem || Report/Notes || | Patch URL | http://issues.apache.org/jira/secure/attachment/12741920/HADOOP-12050.002.patch | | Optional Tests | javadoc javac unit findbugs checkstyle | | git revision | trunk / aa5b15b | | hadoop-auth test log | https://builds.apache.org/job/PreCommit-HADOOP-Build/7042/artifact/patchprocess/testrun_hadoop-auth.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/7042/testReport/ | | Java | 1.7.0_55 | | uname | Linux asf906.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/7042/console | This message was automatically generated. Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.002.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14602193#comment-14602193 ] hzlu commented on HADOOP-12050: --- No problem. Will do. On Thu, Jun 25, 2015 at 5:05 PM, Benoy Antony (JIRA) j...@apache.org Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.002.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14602158#comment-14602158 ] Benoy Antony commented on HADOOP-12050: --- Thanks for working on this, [~hzlu] . A few comments on the patch. 1. Please add test cases to test the following scenarios a. Both expiry period and InActiveInterval are not reached. b. Expiry period is reached, InActiveInterval is not reached c. Expiry period is not reached, InActiveInterval is reached d. Both expiry period and InActiveInterval are reached. 2. Update the http auth documentation with enhancements introduced in HADOOP-12049 and HADOOP-12050. 3. A nit: change maxInactive to maxInActive (camel case). Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: HADOOP-12050.002.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-12050) Enable MaxInactiveInterval for hadoop http auth token
[ https://issues.apache.org/jira/browse/HADOOP-12050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14587107#comment-14587107 ] Hadoop QA commented on HADOOP-12050: \\ \\ | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | pre-patch | 22m 2s | Pre-patch trunk compilation is healthy. | | {color:green}+1{color} | @author | 0m 0s | The patch does not contain any @author tags. | | {color:green}+1{color} | tests included | 0m 0s | The patch appears to include 3 new or modified test files. | | {color:green}+1{color} | javac | 9m 8s | There were no new javac warning messages. | | {color:red}-1{color} | javadoc | 11m 26s | The applied patch generated 2 additional warning messages. | | {color:green}+1{color} | release audit | 0m 23s | The applied patch does not increase the total number of release audit warnings. | | {color:red}-1{color} | checkstyle | 1m 7s | The applied patch generated 20 new checkstyle issues (total was 68, now 88). | | {color:red}-1{color} | whitespace | 0m 1s | The patch has 1 line(s) that end in whitespace. Use git apply --whitespace=fix. | | {color:green}+1{color} | install | 1m 35s | mvn install still works. | | {color:green}+1{color} | eclipse:eclipse | 0m 32s | The patch built with eclipse:eclipse. | | {color:green}+1{color} | findbugs | 2m 33s | The patch does not introduce any new Findbugs (version 3.0.0) warnings. | | {color:red}-1{color} | common tests | 5m 18s | Tests failed in hadoop-auth. | | {color:red}-1{color} | common tests | 37m 52s | Tests failed in hadoop-common. | | | | 92m 23s | | \\ \\ || Reason || Tests || | Failed unit tests | hadoop.security.authentication.server.TestAuthenticationFilter | | Timed out tests | org.apache.hadoop.http.TestAuthenticationSessionCookie | \\ \\ || Subsystem || Report/Notes || | Patch URL | http://issues.apache.org/jira/secure/attachment/12739440/Enable-MaxInactiveInterval-for-hadoop-http-auth-toke.patch | | Optional Tests | javadoc javac unit findbugs checkstyle | | git revision | trunk / 04c9a07 | | javadoc | https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/diffJavadocWarnings.txt | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/diffcheckstylehadoop-auth.txt | | whitespace | https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/whitespace.txt | | hadoop-auth test log | https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/testrun_hadoop-auth.txt | | hadoop-common test log | https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/artifact/patchprocess/testrun_hadoop-common.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/testReport/ | | Java | 1.7.0_55 | | uname | Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/6966/console | This message was automatically generated. Enable MaxInactiveInterval for hadoop http auth token - Key: HADOOP-12050 URL: https://issues.apache.org/jira/browse/HADOOP-12050 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 3.0.0 Reporter: Benoy Antony Assignee: hzlu Fix For: 3.0.0 Attachments: Enable-MaxInactiveInterval-for-hadoop-http-auth-toke.patch During http authentication, a cookie which contains the authentication token is dropped. The expiry time of the authentication token can be configured via hadoop.http.authentication.token.validity. The default value is 10 hours. For clusters which require enhanced security, it is desirable to have a configurable MaxInActiveInterval for the authentication token. If there is no activity during MaxInActiveInterval, the authentication token will be invalidated. The MaxInActiveInterval will be less than hadoop.http.authentication.token.validity. The default value will be 30 minutes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)