hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10911) hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
Date Wed, 27 Aug 2014 00:19:57 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Gregory Chanan updated HADOOP-10911:
------------------------------------

    Attachment: HADOOP-10911v3.patch

Latest version of the patch.

This patch has the following changes from the previous patch:
- Adds a check that a cookie with a proper token is included with each POST request.  This
guarantees that the cookies are being handled correctly (i.e. the test can't pass by just
redoing negotiate on each request).  The previous patch had a test for this with httpclient,
but not with AuthenticatedURL.
- Changes the cookie format.  Note with the new tests, we are checking {jetty, tomcat} x {AuthenticatedURL,
HttpClient}.  So we should be pretty confident in any cookie that passes all those tests.
 To generate the cookie format, I used jetty 8.1.15.v20140411.  (NOTE: I didn't actually use
the Cookie class and the 3.0 servlet API, I called the helper function jetty uses to produce
the format: http://archive.eclipse.org/jetty/9.0.0.RC0/apidocs/org/eclipse/jetty/http/HttpFields.html#addSetCookie%28java.lang.String,%20java.lang.String,%20java.lang.String,%20java.lang.String,%20long,%20java.lang.String,%20boolean,%20boolean,%20int%29
).  It produced a cookie like:
{code}
Set-Cookie=hadoop.auth="u=client&p=client@EXAMPLE.COM&t=kerberos&e=1409128342379&s=R6rNnd4CcMV0bNtK1dNLiJr1ivk=";Expires=Mon,
31-Aug-2026 08:36:23 GMT;HttpOnly
{code}
This is if you set to use version 0 cookies, version 1 is identical with a Max-Age entry added:
{code}
Set-Cookie=hadoop.auth="u=client&p=client@EXAMPLE.COM&t=kerberos&e=1409128342379&s=R6rNnd4CcMV0bNtK1dNLiJr1ivk=";Expires=Mon,
31-Aug-2026 08:36:23 GMT;Max-Age=379069291;HttpOnly
{code}
The Max-Age entry doesn't seem necessary, given even the JDK docs say version 1 is experimental.
 Note that I kept the spaces after the ; in our format, as they don't seem to affect anything
and make it easier to read.  Also, I tested the new format against Solr on real cluster and
it passed, while the old format fails.

> hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-10911
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10911
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Gregory Chanan
>         Attachments: HADOOP-10911-tests.patch, HADOOP-10911.patch, HADOOP-10911v2.patch,
HADOOP-10911v3.patch
>
>
> I'm seeing the same problem reported in HADOOP-10710 (that is, httpclient is unable to
authenticate with servers running the authentication filter), even with HADOOP-10710 applied.
> From my reading of the spec, the problem is as follows:
> Expires is not a valid directive according to the RFC, though it is mentioned for backwards
compatibility with netscape draft spec.  When httpclient sees "Expires", it parses according
to the netscape draft spec, but note from RFC2109:
> {code}
> Note that the Expires date format contains embedded spaces, and that "old" cookies did
not have quotes around values. 
> {code}
> and note that AuthenticationFilter puts quotes around the value:
> https://github.com/apache/hadoop-common/blob/6b11bff94ebf7d99b3a9e513edd813cb82538400/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java#L437-L439
> So httpclient's parsing appears to be kosher.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message