Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12906

AuthenticatedURL should convert a 404/Not Found into an FileNotFoundException.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.8.0
    • Fix Version/s: 2.9.0, 3.0.0-alpha1
    • Component/s: io, security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      If you ask for a URL that isn't there, AuthenticatedURL raises an exception saying you are unauthed.

      It's not checking the response code; 404 is an error all of its own, which can be uprated as a FileNotFound Exception.

        Issue Links

          Activity

          Hide
          stevel@apache.org Steve Loughran added a comment -

          Stack

            org.apache.spark.deploy.history.yarn.rest.UnauthorizedRequestException: Authentication failure as stevel (auth:SIMPLE) against http://localhost:60531/api/v1/applications/application_1111_0000/jobs: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, status: 404, message: Not Found
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:131)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:124)
            at org.apache.spark.deploy.history.yarn.rest.PrivilegedFunction.run(PrivilegedFunction.scala:31)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Subject.java:415)
            at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1708)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector.openConnection(SpnegoUrlConnector.scala:123)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector.getHttpURLConnection(SpnegoUrlConnector.scala:108)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector.execHttpOperation(SpnegoUrlConnector.scala:194)
            at org.apache.spark.deploy.history.yarn.integration.AbstractHistoryIntegrationTests.getJsonResource(AbstractHistoryIntegrationTests.scala:474)
            ...
            Cause: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, status: 404, message: Not Found
            at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:274)
            at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77)
            at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212)
            at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:127)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:124)
            at org.apache.spark.deploy.history.yarn.rest.PrivilegedFunction.run(PrivilegedFunction.scala:31)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Subject.java:415)
            at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1708)
            ...
          
          Show
          stevel@apache.org Steve Loughran added a comment - Stack org.apache.spark.deploy.history.yarn. rest .UnauthorizedRequestException: Authentication failure as stevel (auth:SIMPLE) against http: //localhost:60531/api/v1/applications/application_1111_0000/jobs: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, status: 404, message: Not Found at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:131) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:124) at org.apache.spark.deploy.history.yarn. rest .PrivilegedFunction.run(PrivilegedFunction.scala:31) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1708) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector.openConnection(SpnegoUrlConnector.scala:123) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector.getHttpURLConnection(SpnegoUrlConnector.scala:108) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector.execHttpOperation(SpnegoUrlConnector.scala:194) at org.apache.spark.deploy.history.yarn.integration.AbstractHistoryIntegrationTests.getJsonResource(AbstractHistoryIntegrationTests.scala:474) ... Cause: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, status: 404, message: Not Found at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:274) at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:127) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:124) at org.apache.spark.deploy.history.yarn. rest .PrivilegedFunction.run(PrivilegedFunction.scala:31) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1708) ...
          Hide
          stevel@apache.org Steve Loughran added a comment -

          Fixed stack. Note how the URL is complete, meaning is obvious, nobody will mistake for a kerberos problem, etc, etc.

            java.io.FileNotFoundException: http://localhost:61098/api/v1/applications/application_1111_0000/jobs?user.name=stevel
            at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:275)
            at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77)
            at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212)
            at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:127)
            at org.apache.spark.deploy.history.yarn.rest.SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:124)
            at org.apache.spark.deploy.history.yarn.rest.PrivilegedFunction.run(PrivilegedFunction.scala:31)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Subject.java:415)
            at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1708)
          
          Show
          stevel@apache.org Steve Loughran added a comment - Fixed stack. Note how the URL is complete, meaning is obvious, nobody will mistake for a kerberos problem, etc, etc. java.io.FileNotFoundException: http: //localhost:61098/api/v1/applications/application_1111_0000/jobs?user.name=stevel at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:275) at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:127) at org.apache.spark.deploy.history.yarn. rest .SpnegoUrlConnector$$anonfun$1.apply(SpnegoUrlConnector.scala:124) at org.apache.spark.deploy.history.yarn. rest .PrivilegedFunction.run(PrivilegedFunction.scala:31) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1708)
          Hide
          stevel@apache.org Steve Loughran added a comment -

          Patch 001.

          1. handles 404s with a FileNotFoundException and the URL
          2. always includes the URL on auth exceptions, on the off chance somebody might want to know what web server/service is refusing requests

          I'm not writing a test for it in the Hadoop codebase unless someone can suggest an existing webapp test suite I could add it to.

          Show
          stevel@apache.org Steve Loughran added a comment - Patch 001. handles 404s with a FileNotFoundException and the URL always includes the URL on auth exceptions, on the off chance somebody might want to know what web server/service is refusing requests I'm not writing a test for it in the Hadoop codebase unless someone can suggest an existing webapp test suite I could add it to.
          Hide
          liuml07 Mingliang Liu added a comment -

          +1 (non-binding).

          Though it's unrelated, I think it's good to have switch-case for branching resp code.

          Show
          liuml07 Mingliang Liu added a comment - +1 (non-binding). Though it's unrelated, I think it's good to have switch-case for branching resp code.
          Hide
          stevel@apache.org Steve Loughran added a comment -

          I thought of a switch, but then wondered which ones to handle. Bad argument 403 and server error 500 are the big two. Just doing 401 simplified the patch and was trivial to test in my (failing) test elsewhere

          Show
          stevel@apache.org Steve Loughran added a comment - I thought of a switch, but then wondered which ones to handle. Bad argument 403 and server error 500 are the big two. Just doing 401 simplified the patch and was trivial to test in my (failing) test elsewhere
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 17s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 9m 3s trunk passed
          +1 compile 11m 57s trunk passed with JDK v1.8.0_74
          +1 compile 9m 36s trunk passed with JDK v1.7.0_95
          +1 checkstyle 0m 17s trunk passed
          +1 mvnsite 0m 27s trunk passed
          +1 mvneclipse 0m 18s trunk passed
          +1 findbugs 0m 38s trunk passed
          +1 javadoc 0m 19s trunk passed with JDK v1.8.0_74
          +1 javadoc 0m 16s trunk passed with JDK v1.7.0_95
          +1 mvninstall 0m 20s the patch passed
          +1 compile 11m 41s the patch passed with JDK v1.8.0_74
          +1 javac 11m 41s the patch passed
          +1 compile 8m 49s the patch passed with JDK v1.7.0_95
          +1 javac 8m 49s the patch passed
          +1 checkstyle 0m 15s hadoop-common-project/hadoop-auth: patch generated 0 new + 21 unchanged - 2 fixed = 21 total (was 23)
          +1 mvnsite 0m 21s the patch passed
          +1 mvneclipse 0m 14s the patch passed
          +1 whitespace 0m 0s Patch has no whitespace issues.
          +1 findbugs 0m 45s the patch passed
          +1 javadoc 0m 16s the patch passed with JDK v1.8.0_74
          +1 javadoc 0m 14s the patch passed with JDK v1.7.0_95
          -1 unit 13m 54s hadoop-auth in the patch failed with JDK v1.8.0_74.
          +1 unit 14m 22s hadoop-auth in the patch passed with JDK v1.7.0_95.
          +1 asflicense 0m 23s Patch does not generate ASF License warnings.
          85m 54s



          Reason Tests
          JDK v1.8.0_74 Failed junit tests hadoop.security.authentication.util.TestZKSignerSecretProvider



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:0ca8df7
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12792077/HADOOP-12906-001.patch
          JIRA Issue HADOOP-12906
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 1dc293eb05b4 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 0233d4e
          Default Java 1.7.0_95
          Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_74 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_95
          findbugs v3.0.0
          unit https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-auth-jdk1.8.0_74.txt
          unit test logs https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-auth-jdk1.8.0_74.txt
          JDK v1.7.0_95 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/testReport/
          modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/console
          Powered by Apache Yetus 0.2.0 http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 17s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 9m 3s trunk passed +1 compile 11m 57s trunk passed with JDK v1.8.0_74 +1 compile 9m 36s trunk passed with JDK v1.7.0_95 +1 checkstyle 0m 17s trunk passed +1 mvnsite 0m 27s trunk passed +1 mvneclipse 0m 18s trunk passed +1 findbugs 0m 38s trunk passed +1 javadoc 0m 19s trunk passed with JDK v1.8.0_74 +1 javadoc 0m 16s trunk passed with JDK v1.7.0_95 +1 mvninstall 0m 20s the patch passed +1 compile 11m 41s the patch passed with JDK v1.8.0_74 +1 javac 11m 41s the patch passed +1 compile 8m 49s the patch passed with JDK v1.7.0_95 +1 javac 8m 49s the patch passed +1 checkstyle 0m 15s hadoop-common-project/hadoop-auth: patch generated 0 new + 21 unchanged - 2 fixed = 21 total (was 23) +1 mvnsite 0m 21s the patch passed +1 mvneclipse 0m 14s the patch passed +1 whitespace 0m 0s Patch has no whitespace issues. +1 findbugs 0m 45s the patch passed +1 javadoc 0m 16s the patch passed with JDK v1.8.0_74 +1 javadoc 0m 14s the patch passed with JDK v1.7.0_95 -1 unit 13m 54s hadoop-auth in the patch failed with JDK v1.8.0_74. +1 unit 14m 22s hadoop-auth in the patch passed with JDK v1.7.0_95. +1 asflicense 0m 23s Patch does not generate ASF License warnings. 85m 54s Reason Tests JDK v1.8.0_74 Failed junit tests hadoop.security.authentication.util.TestZKSignerSecretProvider Subsystem Report/Notes Docker Image:yetus/hadoop:0ca8df7 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12792077/HADOOP-12906-001.patch JIRA Issue HADOOP-12906 Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 1dc293eb05b4 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 0233d4e Default Java 1.7.0_95 Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_74 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_95 findbugs v3.0.0 unit https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-auth-jdk1.8.0_74.txt unit test logs https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-auth-jdk1.8.0_74.txt JDK v1.7.0_95 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/testReport/ modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/8823/console Powered by Apache Yetus 0.2.0 http://yetus.apache.org This message was automatically generated.
          Hide
          liuml07 Mingliang Liu added a comment -

          Understood. Thanks for the explanation (and the patch).

          Show
          liuml07 Mingliang Liu added a comment - Understood. Thanks for the explanation (and the patch).
          Hide
          stevel@apache.org Steve Loughran added a comment -

          failure unrelated; although no tests in the hadoop code, I have clearly demonstrated something downstream

          Show
          stevel@apache.org Steve Loughran added a comment - failure unrelated; although no tests in the hadoop code, I have clearly demonstrated something downstream
          Hide
          gtCarrera9 Li Lu added a comment -

          Patch LGTM. +1. Will commit shortly.

          Show
          gtCarrera9 Li Lu added a comment - Patch LGTM. +1. Will commit shortly.
          Hide
          gtCarrera9 Li Lu added a comment -

          I committed this patch into trunk and branch-2. Thanks Steve Loughran for the work and Mingliang Liu for the quick review! Given the fact that this patch is small, I'm also fine with cherry-picking it to branch-2.8.

          Show
          gtCarrera9 Li Lu added a comment - I committed this patch into trunk and branch-2. Thanks Steve Loughran for the work and Mingliang Liu for the quick review! Given the fact that this patch is small, I'm also fine with cherry-picking it to branch-2.8.
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-trunk-Commit #9449 (See https://builds.apache.org/job/Hadoop-trunk-Commit/9449/)
          HADOOP-12906. AuthenticatedURL should convert a 404/Not Found into an (gtcarrera9: rev 9a79b738c582bd84727831987b845535625d75fe)

          • hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-trunk-Commit #9449 (See https://builds.apache.org/job/Hadoop-trunk-Commit/9449/ ) HADOOP-12906 . AuthenticatedURL should convert a 404/Not Found into an (gtcarrera9: rev 9a79b738c582bd84727831987b845535625d75fe) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java

            People

            • Assignee:
              stevel@apache.org Steve Loughran
              Reporter:
              stevel@apache.org Steve Loughran
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development