hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10911) hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
Date Tue, 19 Aug 2014 23:01:20 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Gregory Chanan updated HADOOP-10911:
------------------------------------

    Attachment: HADOOP-10911v2.patch

bq. On Max-Age & Expired, i don't think we want to break old browsers. It seems to me
an HttpClient bug that uses the presence of Expire to go back to old cookie format, the precense
of Version=1 should trump. Can you dig on HttpClient side?

This is a bit complicated -- see the discussion here: http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201408.mbox/%3C1406895602.17749.8.camel%40ubuntu%3E
In short, it's not a valid Version=1 cookie, but httpclient would like to be able to handle
it anyway, see HTTPCLIENT-1546.

I added a patch that does the following:
1) Runs the TestKerberosAuthenticator test cases against Tomcat as well as Jetty, this exposes
the bug in HADOOP-10379, which didn't get a test added in HADOOP-10710
2) Adds an httpclient test case to TestKerberosAuthenticator.  This does 2 things:
- Checks that the cookie is actually being processed.  Note that it's possible for the existing
tests to pass by doing the SPNego negotiation on each request, rather than relying on the
cookie.  But the entity type we use in the test doesn't support repeating, so an exception
is raised if the SPNego process repeats
- Verifies that httpclient works with our cookie format (probably not strictly necessary,
but nice to have given httpclient's popularity)

So, I think the the test cases are pretty useful for catching regressions.

As for the format itself, I just chose a simple format that passes all the tests.  That seems
like a reasonable improvement over what we have now, but I'm not married to the particular
format.

> hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-10911
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10911
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Gregory Chanan
>         Attachments: HADOOP-10911-tests.patch, HADOOP-10911.patch, HADOOP-10911v2.patch
>
>
> I'm seeing the same problem reported in HADOOP-10710 (that is, httpclient is unable to
authenticate with servers running the authentication filter), even with HADOOP-10710 applied.
> From my reading of the spec, the problem is as follows:
> Expires is not a valid directive according to the RFC, though it is mentioned for backwards
compatibility with netscape draft spec.  When httpclient sees "Expires", it parses according
to the netscape draft spec, but note from RFC2109:
> {code}
> Note that the Expires date format contains embedded spaces, and that "old" cookies did
not have quotes around values. 
> {code}
> and note that AuthenticationFilter puts quotes around the value:
> https://github.com/apache/hadoop-common/blob/6b11bff94ebf7d99b3a9e513edd813cb82538400/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java#L437-L439
> So httpclient's parsing appears to be kosher.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message