Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10710

hadoop.auth cookie is not properly constructed according to RFC2109

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.4.0
    • 2.5.0
    • security
    • None
    • Reviewed

    Description

      It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are being constructed.

      Before HADOOP-10379, cookies were constructed using Servlet's Cookie class and corresponding HttpServletResponse methods. This was taking care of setting attributes like 'Version=1' and double-quoting the cookie value if necessary.

      HADOOP-10379 changed the Cookie creation to use a StringBuillder and setting values and attributes by hand. This is not taking care of setting required attributes like Version and escaping the cookie value.

      While this is not breaking HadoopAuth AuthenticatedURL access, it is breaking access done using HtttpClient. I.e. Solr uses HttpClient and its access is broken since this change.

      It seems that HADOOP-10379 main objective was to set the 'secure' attribute. Note this can be done using the Cookie API.

      We should revert the cookie creation logic to use the Cookie API and take care of the security flag via setSecure(boolean).

      Attachments

        1. HADOOP-10710.001.patch
          9 kB
          Juan Yu
        2. HADOOP-10710.002.patch
          9 kB
          Juan Yu
        3. HADOOP-10710.003.patch
          9 kB
          Juan Yu
        4. HADOOP-10710.004.patch
          5 kB
          Juan Yu
        5. HADOOP-10710.005.patch
          5 kB
          Juan Yu
        6. HADOOP-10710.006.patch
          5 kB
          Juan Yu
        7. HADOOP-10710.007.patch
          5 kB
          Juan Yu

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jyu@cloudera.com Juan Yu
            tucu00 Alejandro Abdelnur
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment