[KNOX-1171] Handle invalid hadoop.auth cookie returned by Oozie - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.14.0
Fix Version/s: 1.1.0
Component/s: Server
Labels:
None

Description

There are issues with Oozie/HadoopAuth that prevent the proxying of the Oozie UI in secure clusters.

The HadoopAuth issue below is preventing HttpClient from handling hadoop.auth token resulting in every interaction with Oozie requiring a SPNego authentication in a secure cluster. https://issues.apache.org/jira/browse/HADOOP-10710

The Oozie issue below prevents certain Oozie resources from be accessible when SPNego authentication occurs. This is caused by these resources being authenticated twice which results in a Kerberos replay attack detection/failure. https://issues.apache.org/jira/browse/OOZIE-2427

The combination of these two issues prevents the Oozie UI from being proxied in a secure cluster.

The proposed solution is to enhance HadoopAuthCookieStore to handle cases where the cooke value isn't RFC2109 compliant by wrapping the value in double quotes if they are missing.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

KNOX-1171-002_v0.14.0.patch
07/Feb/18 22:28
9 kB
Kevin Minder
KNOX-1171-001_v0.14.0.patch
06/Feb/18 19:04
9 kB
Kevin Minder
KNOX-1171.patch
06/Feb/18 14:30
9 kB
Kevin Minder

Activity

People

Assignee:: Kevin Minder

Reporter:: Kevin Minder

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Feb/18 13:26

Updated:: 28/Mar/19 14:05

Resolved:: 06/Feb/18 14:52