[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[ https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458093#comment-17458093 ] Julian Hyde commented on CALCITE-4152: -- Fixed in [c3a91923|https://github.com/apache/calcite-avatica/commit/c3a9192347b4354337a906838499ff25236d63bc]. > Avoid SPNEGO re-negotiation for each request > > > Key: CALCITE-4152 > URL: https://issues.apache.org/jira/browse/CALCITE-4152 > Project: Calcite > Issue Type: Improvement > Components: avatica >Reporter: Istvan Toth >Assignee: Josh Elser >Priority: Major > Fix For: avatica-1.20.0 > > Time Spent: 50m > Remaining Estimate: 0h > > When using SPNEGO authentication with Avatica, every HTTP request > re-initiates the negotiation, doubling the number HTTP requests. > Consider switching to cookies after the initial SPNEGO authentication > succeeds. > Jetty ticket that discusses the issue: > [https://github.com/eclipse/jetty.project/issues/2868] > Description of the Knox implementation > [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox] -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[ https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17435103#comment-17435103 ] Josh Elser commented on CALCITE-4152: - Officially moved the PR out of "draft" > Avoid SPNEGO re-negotiation for each request > > > Key: CALCITE-4152 > URL: https://issues.apache.org/jira/browse/CALCITE-4152 > Project: Calcite > Issue Type: Improvement > Components: avatica >Reporter: Istvan Toth >Assignee: Josh Elser >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > When using SPNEGO authentication with Avatica, every HTTP request > re-initiates the negotiation, doubling the number HTTP requests. > Consider switching to cookies after the initial SPNEGO authentication > succeeds. > Jetty ticket that discusses the issue: > [https://github.com/eclipse/jetty.project/issues/2868] > Description of the Knox implementation > [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[ https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257140#comment-17257140 ] Josh Elser commented on CALCITE-4152: - Linking my draft PR. Needs cleanup, testing, doc updates, and performance validation. > Avoid SPNEGO re-negotiation for each request > > > Key: CALCITE-4152 > URL: https://issues.apache.org/jira/browse/CALCITE-4152 > Project: Calcite > Issue Type: Improvement > Components: avatica >Reporter: Istvan Toth >Assignee: Josh Elser >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > When using SPNEGO authentication with Avatica, every HTTP request > re-initiates the negotiation, doubling the number HTTP requests. > Consider switching to cookies after the initial SPNEGO authentication > succeeds. > Jetty ticket that discusses the issue: > [https://github.com/eclipse/jetty.project/issues/2868] > Description of the Knox implementation > [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[
https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257137#comment-17257137
]
Josh Elser commented on CALCITE-4152:
-
{code:java}
2020-12-31 23:21:35,831 [qtp2048434399-16] DEBUG - COMMIT for / on
HttpChannelOverHttp@584ac69e{s=HttpChannelState@5cea67c6{s=HANDLING
rs=COMPLETING os=COMMITTED is=READY awp=false se=false i=false
al=0},r=2,c=false/false,a=HANDLING,uri=//localhost:51706/,age=283}
200 null HTTP/1.1
Date: Fri, 01 Jan 2021 04:21:35 GMT
WWW-Authenticate: Negotiate
oYH1MIHyoAMKAQChCwYJKoZIhvcSAQICom4EbGBqBgkqhkiG9xIBAgICAG9bMFmgAwIBBaEDAgEPok0wS6ADAgERokQEQtpZnCRCej2MpfcD4oGTteO70BdUVSdd7Y4o/hqCP7ZB6YcXORaqxcEHjVjRLCZk1MLueoDiUO/YQh2CruAbVWMIBaNuBGxgagYJKoZIhvcSAQICAgBvWzBZoAMCAQWhAwIBD6JNMEugAwIBEaJEBELaWZwkQno9jKX3A+KBk7Xju9AXVFUnXe2OKP4agj+2QemHFzkWqsXBB41Y0SwmZNTC7nqA4lDv2EIdgq7gG1VjCAU=
Set-Cookie: JSESSIONID=node01mx0ketk9hfx2166mjptrygys60.node0; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/octet-stream;charset=utf-8 {code}
With the new ConfigurableSpnegoAuthenticator/LoginService, Jetty will
automatically send back a JSESSIONID cookie and use that, as long as the
provided "duration" for cookie validity is not exceeded. Pretty slick.
We'll have to go through the other stuff that hadoop-auth does and make sure
that we don't need anything else (like {{Secure}} or {{HttpOnly}} options on
that cookie.).
> Avoid SPNEGO re-negotiation for each request
>
>
> Key: CALCITE-4152
> URL: https://issues.apache.org/jira/browse/CALCITE-4152
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
>Reporter: Istvan Toth
>Assignee: Josh Elser
>Priority: Major
>
> When using SPNEGO authentication with Avatica, every HTTP request
> re-initiates the negotiation, doubling the number HTTP requests.
> Consider switching to cookies after the initial SPNEGO authentication
> succeeds.
> Jetty ticket that discusses the issue:
> [https://github.com/eclipse/jetty.project/issues/2868]
> Description of the Knox implementation
> [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[ https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257124#comment-17257124 ] Josh Elser commented on CALCITE-4152: - Hah, well, maybe back this whole train up. (I think Kevin suggested this elsewhere) The ConfigurableSpnegoAuthenticator already does exactly what we want here :) > Avoid SPNEGO re-negotiation for each request > > > Key: CALCITE-4152 > URL: https://issues.apache.org/jira/browse/CALCITE-4152 > Project: Calcite > Issue Type: Improvement > Components: avatica >Reporter: Istvan Toth >Assignee: Josh Elser >Priority: Major > > When using SPNEGO authentication with Avatica, every HTTP request > re-initiates the negotiation, doubling the number HTTP requests. > Consider switching to cookies after the initial SPNEGO authentication > succeeds. > Jetty ticket that discusses the issue: > [https://github.com/eclipse/jetty.project/issues/2868] > Description of the Knox implementation > [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[ https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17254396#comment-17254396 ] Josh Elser commented on CALCITE-4152: - I guess this approach is really just a JWT but not following that spec [https://jwt.io/introduction] Maybe step 5 should be "make it a JWT" > Avoid SPNEGO re-negotiation for each request > > > Key: CALCITE-4152 > URL: https://issues.apache.org/jira/browse/CALCITE-4152 > Project: Calcite > Issue Type: Improvement > Components: avatica >Reporter: Istvan Toth >Priority: Major > > When using SPNEGO authentication with Avatica, every HTTP request > re-initiates the negotiation, doubling the number HTTP requests. > Consider switching to cookies after the initial SPNEGO authentication > succeeds. > Jetty ticket that discusses the issue: > [https://github.com/eclipse/jetty.project/issues/2868] > Description of the Knox implementation > [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[
https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17254375#comment-17254375
]
Josh Elser commented on CALCITE-4152:
-
Looking at this for fun, the general wag at what Hadoop is doing is this...
* After a successful SPNEGO auth'n, they send a SetCookie header back to the
client
* The cookie looks something like {{Set-Cookie:
hadoop.auth="u=guest=guest/c6401.ambari.apache@example.com=kerberos=1487947765114=fNpq9FYy2DA19Rah7586rgsAieI=";
Path=gateway/default; Domain=ambari.apache.org; Secure; HttpOnly}}
* The token data is "username", (kerberos) "principal", authentication type,
expiration time
* This token data is signed with HmacSHA256 and that's included as
"{{fNpq9FYy2DA19Rah7586rgsAieI="}}
* The signature is used when the token is passed back to the server to
validate that the token itself wasn't changed (e.g. user doesn't modify it and
say they're someone else)
* If the user doesn't provide the token (via the cookie), spnego authn happens
normally. When spnego authn succeeds, it sets a new cookie
* If the user provides the token (via the cookie) and the token is valid (the
signature matches), then user is marked as "authenticated" (as the user who is
specified in that auth token).
I think I can break this up into a couple of steps:
# Show that we can bypass spnego successfully with a cookie that just has
basic info. Will have to add indirection in AbstractAvaticaHandler to not pull
the user directly from the HttpServletRequest. Update the client, maybe (the
http client we use may automatically pass it along)?
# Make the plan cookie data into a protobuf or other serializable data
structure
# Add signing of the cookie data
# Add expiration of the auth cookie
> Avoid SPNEGO re-negotiation for each request
>
>
> Key: CALCITE-4152
> URL: https://issues.apache.org/jira/browse/CALCITE-4152
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
>Reporter: Istvan Toth
>Priority: Major
>
> When using SPNEGO authentication with Avatica, every HTTP request
> re-initiates the negotiation, doubling the number HTTP requests.
> Consider switching to cookies after the initial SPNEGO authentication
> succeeds.
> Jetty ticket that discusses the issue:
> [https://github.com/eclipse/jetty.project/issues/2868]
> Description of the Knox implementation
> [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request
[ https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17169782#comment-17169782 ] Istvan Toth commented on CALCITE-4152: -- The issue was originally reported by [~elserj]. > Avoid SPNEGO re-negotiation for each request > > > Key: CALCITE-4152 > URL: https://issues.apache.org/jira/browse/CALCITE-4152 > Project: Calcite > Issue Type: Improvement > Components: avatica >Reporter: Istvan Toth >Priority: Major > > When using SPNEGO authentication with Avatica, every HTTP request > re-initiates the negotiation, doubling the number HTTP requests. > Consider switching to cookies after the initial SPNEGO authentication > succeeds. > Jetty ticket that discusses the issue: > [https://github.com/eclipse/jetty.project/issues/2868] > Description of the Knox implementation > [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox] -- This message was sent by Atlassian Jira (v8.3.4#803005)
