[HADOOP-10710] hadoop.auth cookie is not properly constructed according to RFC2109 - ASF JIRA

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.5.0
Component/s: security
Labels:
None

Target Version/s:

2.5.0
Hadoop Flags:

Reviewed

Description

It seems that ~~HADOOP-10379~~ introduced a bug on how hadoop.auth cookies are being constructed.

Before ~~HADOOP-10379~~, cookies were constructed using Servlet's Cookie class and corresponding HttpServletResponse methods. This was taking care of setting attributes like 'Version=1' and double-quoting the cookie value if necessary.

~~HADOOP-10379~~ changed the Cookie creation to use a StringBuillder and setting values and attributes by hand. This is not taking care of setting required attributes like Version and escaping the cookie value.

While this is not breaking HadoopAuth AuthenticatedURL access, it is breaking access done using HtttpClient. I.e. Solr uses HttpClient and its access is broken since this change.

It seems that ~~HADOOP-10379~~ main objective was to set the 'secure' attribute. Note this can be done using the Cookie API.

We should revert the cookie creation logic to use the Cookie API and take care of the security flag via setSecure(boolean).