Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13565

KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5.0
    • Fix Version/s: 2.8.0, 3.0.0-alpha2
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      In KerberosAuthenticationHandler#authenticate, we use canonicalized server name derived from HTTP request to build server SPN and authenticate client. This can be problematic if the HTTP client/server are running from a non-local Kerberos realm that the local realm has trust with (e.g., NN UI).

      For example,
      The server is running its HTTP endpoint using SPN from the client realm:
      <name>hadoop.http.authentication.kerberos.principal</name>
      <value>HTTP/_HOST/TEST.COM</value>

      When client sends request to namenode at http://NN1.example.com:50070 from client.test.com@TEST.COM.

      The client talks to KDC first and gets a service ticket HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO negotiation.

      The authentication will end up with either no valid credential error or checksum failure depending on the HTTP client naming resolution or HTTP Host field from the request header provided by the browser.

      The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will always return a SPN with local realm (HTTP/NN.example.com@EXAMPLE.COM) no matter the server login SPN is from that domain or not.

      The proposed fix is to change to use default server login principal (by passing null as the 1st parameter to gssManager.createCredential()) instead. This way we avoid dependency on HTTP client behavior (Host header or name resolution like CNAME) or assumption on the local realm.

      1. HADOOP-13565.00.patch
        2 kB
        Xiaoyu Yao
      2. HADOOP-13565.01.patch
        12 kB
        Xiaoyu Yao
      3. HADOOP-13565.02.patch
        17 kB
        Xiaoyu Yao
      4. HADOOP-13565.03.patch
        17 kB
        Xiaoyu Yao

        Issue Links

          Activity

          Hide
          xyao Xiaoyu Yao added a comment -

          Also notice the change to use servername from http request to build server SPN and retrieve credential was introduced as part of HADOOP-10158 to support multiple SPNs. Not sure if rebuild SPN based on client request is necessary for multiple SPN support. If yes, we can keep the old behavior if no multiple SPN is being used by authenticating with the default login SPN specified. This way, the use case above will continue to work after HADOOP-10158.

          cc: the original contributor of HADOOP-10158 Daryn Sharp/Kihwal Lee for additional feedback on this. Thanks in advance!

          Show
          xyao Xiaoyu Yao added a comment - Also notice the change to use servername from http request to build server SPN and retrieve credential was introduced as part of HADOOP-10158 to support multiple SPNs. Not sure if rebuild SPN based on client request is necessary for multiple SPN support. If yes, we can keep the old behavior if no multiple SPN is being used by authenticating with the default login SPN specified. This way, the use case above will continue to work after HADOOP-10158 . cc: the original contributor of HADOOP-10158 Daryn Sharp / Kihwal Lee for additional feedback on this. Thanks in advance!
          Hide
          xyao Xiaoyu Yao added a comment -

          Attach a initial patch for discussion.

          Show
          xyao Xiaoyu Yao added a comment - Attach a initial patch for discussion.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 13s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 6m 56s trunk passed
          +1 compile 6m 54s trunk passed
          +1 checkstyle 0m 13s trunk passed
          +1 mvnsite 0m 17s trunk passed
          +1 mvneclipse 0m 11s trunk passed
          +1 findbugs 0m 21s trunk passed
          +1 javadoc 0m 12s trunk passed
          +1 mvninstall 0m 12s the patch passed
          +1 compile 6m 46s the patch passed
          +1 javac 6m 46s the patch passed
          -0 checkstyle 0m 12s hadoop-common-project/hadoop-auth: The patch generated 1 new + 28 unchanged - 0 fixed = 29 total (was 28)
          +1 mvnsite 0m 16s the patch passed
          +1 mvneclipse 0m 11s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 0m 28s the patch passed
          +1 javadoc 0m 12s the patch passed
          -1 unit 3m 15s hadoop-auth in the patch failed.
          +1 asflicense 0m 21s The patch does not generate ASF License warnings.
          28m 38s



          Reason Tests
          Failed junit tests hadoop.security.authentication.util.TestZKSignerSecretProvider



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Issue HADOOP-13565
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12826502/HADOOP-13565.00.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 67d7f472045a 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 85bab5f
          Default Java 1.8.0_101
          findbugs v3.0.0
          checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-auth.txt
          unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-auth.txt
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/testReport/
          modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 13s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 6m 56s trunk passed +1 compile 6m 54s trunk passed +1 checkstyle 0m 13s trunk passed +1 mvnsite 0m 17s trunk passed +1 mvneclipse 0m 11s trunk passed +1 findbugs 0m 21s trunk passed +1 javadoc 0m 12s trunk passed +1 mvninstall 0m 12s the patch passed +1 compile 6m 46s the patch passed +1 javac 6m 46s the patch passed -0 checkstyle 0m 12s hadoop-common-project/hadoop-auth: The patch generated 1 new + 28 unchanged - 0 fixed = 29 total (was 28) +1 mvnsite 0m 16s the patch passed +1 mvneclipse 0m 11s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 0m 28s the patch passed +1 javadoc 0m 12s the patch passed -1 unit 3m 15s hadoop-auth in the patch failed. +1 asflicense 0m 21s The patch does not generate ASF License warnings. 28m 38s Reason Tests Failed junit tests hadoop.security.authentication.util.TestZKSignerSecretProvider Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13565 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12826502/HADOOP-13565.00.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 67d7f472045a 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 85bab5f Default Java 1.8.0_101 findbugs v3.0.0 checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-auth.txt unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-auth.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/testReport/ modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10432/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          arpitagarwal Arpit Agarwal added a comment -

          +1

          Thanks for tracking this down and the fix Xiaoyu Yao.

          Show
          arpitagarwal Arpit Agarwal added a comment - +1 Thanks for tracking this down and the fix Xiaoyu Yao .
          Hide
          xyao Xiaoyu Yao added a comment -

          Thanks Arpit Agarwal for the review. In case other folks on the watcher list have additional comments, I will hold off the commit until 10/13.

          Show
          xyao Xiaoyu Yao added a comment - Thanks Arpit Agarwal for the review. In case other folks on the watcher list have additional comments, I will hold off the commit until 10/13.
          Hide
          xyao Xiaoyu Yao added a comment -

          Thanks Arpit Agarwal for the review. I've commit the patch to trunk, branch-2 and branch-2.8.

          Show
          xyao Xiaoyu Yao added a comment - Thanks Arpit Agarwal for the review. I've commit the patch to trunk, branch-2 and branch-2.8.
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10604 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10604/)
          HADOOP-13565. KerberosAuthenticationHandler#authenticate should not (xyao: rev 9097e2efe4c92d83c8fab88dc11be84505a6cab5)

          • (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10604 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10604/ ) HADOOP-13565 . KerberosAuthenticationHandler#authenticate should not (xyao: rev 9097e2efe4c92d83c8fab88dc11be84505a6cab5) (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          Hide
          xyao Xiaoyu Yao added a comment -

          Reopen the issue as the change breaks the existing multiple HTTP principles support. I will revert it from trunk and other branches.

          The original problem with the server SPN that always get default realm can be solved by improving KerberosUtil#getDomainRealm() to look up the domain_realm map from krb5 Config.

          Show
          xyao Xiaoyu Yao added a comment - Reopen the issue as the change breaks the existing multiple HTTP principles support. I will revert it from trunk and other branches. The original problem with the server SPN that always get default realm can be solved by improving KerberosUtil#getDomainRealm() to look up the domain_realm map from krb5 Config.
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10776 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10776/)
          Revert "HADOOP-13565. KerberosAuthenticationHandler#authenticate should (xyao: rev 95665a6eea32ff7134ea556db4dd4ae068364fc0)

          • (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10776 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10776/ ) Revert " HADOOP-13565 . KerberosAuthenticationHandler#authenticate should (xyao: rev 95665a6eea32ff7134ea556db4dd4ae068364fc0) (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          Hide
          xyao Xiaoyu Yao added a comment - - edited

          Attach a new patch using a HashMultiMap that support multiple HTTP SPN with same hostname but different realms.

          Test patch manually with multi-realm clusters with HTTP authentication using multiple HTTP SPNs with different combination of hostnames and realms.

          Show
          xyao Xiaoyu Yao added a comment - - edited Attach a new patch using a HashMultiMap that support multiple HTTP SPN with same hostname but different realms. Test patch manually with multi-realm clusters with HTTP authentication using multiple HTTP SPNs with different combination of hostnames and realms.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 10s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 7m 2s trunk passed
          +1 compile 9m 32s trunk passed
          +1 checkstyle 0m 18s trunk passed
          +1 mvnsite 0m 25s trunk passed
          +1 mvneclipse 0m 18s trunk passed
          +1 findbugs 0m 27s trunk passed
          +1 javadoc 0m 17s trunk passed
          +1 mvninstall 0m 15s the patch passed
          +1 compile 9m 18s the patch passed
          +1 javac 9m 18s the patch passed
          -0 checkstyle 0m 19s hadoop-common-project/hadoop-auth: The patch generated 36 new + 17 unchanged - 11 fixed = 53 total (was 28)
          +1 mvnsite 0m 25s the patch passed
          +1 mvneclipse 0m 16s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 0m 34s the patch passed
          +1 javadoc 0m 17s the patch passed
          +1 unit 3m 33s hadoop-auth in the patch passed.
          +1 asflicense 0m 29s The patch does not generate ASF License warnings.
          35m 42s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-13565
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12839099/HADOOP-13565.01.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 8cb94f4d5284 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / c265515
          Default Java 1.8.0_111
          findbugs v3.0.0
          checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-auth.txt
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/testReport/
          modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 10s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 7m 2s trunk passed +1 compile 9m 32s trunk passed +1 checkstyle 0m 18s trunk passed +1 mvnsite 0m 25s trunk passed +1 mvneclipse 0m 18s trunk passed +1 findbugs 0m 27s trunk passed +1 javadoc 0m 17s trunk passed +1 mvninstall 0m 15s the patch passed +1 compile 9m 18s the patch passed +1 javac 9m 18s the patch passed -0 checkstyle 0m 19s hadoop-common-project/hadoop-auth: The patch generated 36 new + 17 unchanged - 11 fixed = 53 total (was 28) +1 mvnsite 0m 25s the patch passed +1 mvneclipse 0m 16s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 0m 34s the patch passed +1 javadoc 0m 17s the patch passed +1 unit 3m 33s hadoop-auth in the patch passed. +1 asflicense 0m 29s The patch does not generate ASF License warnings. 35m 42s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-13565 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12839099/HADOOP-13565.01.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 8cb94f4d5284 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / c265515 Default Java 1.8.0_111 findbugs v3.0.0 checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-auth.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/testReport/ modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11218/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          xyao Xiaoyu Yao added a comment -

          Update the patch fixing all the checkstyle issues.

          Show
          xyao Xiaoyu Yao added a comment - Update the patch fixing all the checkstyle issues.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 12s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 8m 12s trunk passed
          +1 compile 10m 29s trunk passed
          +1 checkstyle 0m 18s trunk passed
          +1 mvnsite 0m 26s trunk passed
          +1 mvneclipse 0m 17s trunk passed
          +1 findbugs 0m 30s trunk passed
          +1 javadoc 0m 17s trunk passed
          +1 mvninstall 0m 17s the patch passed
          +1 compile 9m 43s the patch passed
          +1 javac 9m 43s the patch passed
          +1 checkstyle 0m 18s hadoop-common-project/hadoop-auth: The patch generated 0 new + 0 unchanged - 28 fixed = 0 total (was 28)
          +1 mvnsite 0m 25s the patch passed
          +1 mvneclipse 0m 18s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 0m 34s the patch passed
          +1 javadoc 0m 17s the patch passed
          +1 unit 3m 34s hadoop-auth in the patch passed.
          +1 asflicense 0m 34s The patch does not generate ASF License warnings.
          38m 27s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-13565
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12842408/HADOOP-13565.02.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 76a0fa82277e 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 401c731
          Default Java 1.8.0_111
          findbugs v3.0.0
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11221/testReport/
          modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11221/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 12s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 8m 12s trunk passed +1 compile 10m 29s trunk passed +1 checkstyle 0m 18s trunk passed +1 mvnsite 0m 26s trunk passed +1 mvneclipse 0m 17s trunk passed +1 findbugs 0m 30s trunk passed +1 javadoc 0m 17s trunk passed +1 mvninstall 0m 17s the patch passed +1 compile 9m 43s the patch passed +1 javac 9m 43s the patch passed +1 checkstyle 0m 18s hadoop-common-project/hadoop-auth: The patch generated 0 new + 0 unchanged - 28 fixed = 0 total (was 28) +1 mvnsite 0m 25s the patch passed +1 mvneclipse 0m 18s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 0m 34s the patch passed +1 javadoc 0m 17s the patch passed +1 unit 3m 34s hadoop-auth in the patch passed. +1 asflicense 0m 34s The patch does not generate ASF License warnings. 38m 27s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-13565 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12842408/HADOOP-13565.02.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 76a0fa82277e 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 401c731 Default Java 1.8.0_111 findbugs v3.0.0 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11221/testReport/ modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11221/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          jnp Jitendra Nath Pandey added a comment -

          For code that splits the principal to parse out different parts, it will be better to use KerberosName class.
          This should be a minor refactoring.
          +1 otherwise.

          Show
          jnp Jitendra Nath Pandey added a comment - For code that splits the principal to parse out different parts, it will be better to use KerberosName class. This should be a minor refactoring. +1 otherwise.
          Hide
          xyao Xiaoyu Yao added a comment -

          Thanks Jitendra Nath Pandey for the review. Update a new patch to address the comments.

          Show
          xyao Xiaoyu Yao added a comment - Thanks Jitendra Nath Pandey for the review. Update a new patch to address the comments.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 10s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 6m 53s trunk passed
          +1 compile 9m 29s trunk passed
          +1 checkstyle 0m 18s trunk passed
          +1 mvnsite 0m 24s trunk passed
          +1 mvneclipse 0m 18s trunk passed
          +1 findbugs 0m 27s trunk passed
          +1 javadoc 0m 17s trunk passed
          +1 mvninstall 0m 14s the patch passed
          +1 compile 9m 3s the patch passed
          +1 javac 9m 3s the patch passed
          +1 checkstyle 0m 18s hadoop-common-project/hadoop-auth: The patch generated 0 new + 0 unchanged - 28 fixed = 0 total (was 28)
          +1 mvnsite 0m 24s the patch passed
          +1 mvneclipse 0m 18s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 0m 35s the patch passed
          +1 javadoc 0m 18s the patch passed
          +1 unit 3m 31s hadoop-auth in the patch passed.
          +1 asflicense 0m 30s The patch does not generate ASF License warnings.
          35m 9s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-13565
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12842455/HADOOP-13565.03.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 9df2e16e82c0 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 13d8e55
          Default Java 1.8.0_111
          findbugs v3.0.0
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11225/testReport/
          modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11225/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 10s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 6m 53s trunk passed +1 compile 9m 29s trunk passed +1 checkstyle 0m 18s trunk passed +1 mvnsite 0m 24s trunk passed +1 mvneclipse 0m 18s trunk passed +1 findbugs 0m 27s trunk passed +1 javadoc 0m 17s trunk passed +1 mvninstall 0m 14s the patch passed +1 compile 9m 3s the patch passed +1 javac 9m 3s the patch passed +1 checkstyle 0m 18s hadoop-common-project/hadoop-auth: The patch generated 0 new + 0 unchanged - 28 fixed = 0 total (was 28) +1 mvnsite 0m 24s the patch passed +1 mvneclipse 0m 18s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 0m 35s the patch passed +1 javadoc 0m 18s the patch passed +1 unit 3m 31s hadoop-auth in the patch passed. +1 asflicense 0m 30s The patch does not generate ASF License warnings. 35m 9s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-13565 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12842455/HADOOP-13565.03.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 9df2e16e82c0 3.13.0-103-generic #150-Ubuntu SMP Thu Nov 24 10:34:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 13d8e55 Default Java 1.8.0_111 findbugs v3.0.0 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11225/testReport/ modules C: hadoop-common-project/hadoop-auth U: hadoop-common-project/hadoop-auth Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11225/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          xyao Xiaoyu Yao added a comment -

          Thanks Jitendra Nath Pandey for the review. I've commit the patch to trunk/branch-2/branch-2.8.

          Show
          xyao Xiaoyu Yao added a comment - Thanks Jitendra Nath Pandey for the review. I've commit the patch to trunk/branch-2/branch-2.8.
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10985 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10985/)
          HADOOP-13565. KerberosAuthenticationHandler#authenticate should not (xyao: rev 4c38f11cec0664b70e52f9563052dca8fb17c33f)

          • (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10985 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10985/ ) HADOOP-13565 . KerberosAuthenticationHandler#authenticate should not (xyao: rev 4c38f11cec0664b70e52f9563052dca8fb17c33f) (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
          Hide
          ajisakaa Akira Ajisaka added a comment -

          Hi Xiaoyu Yao and Jitendra Nath Pandey, this commit broke HADOOP-13890. Could you check this?

          Show
          ajisakaa Akira Ajisaka added a comment - Hi Xiaoyu Yao and Jitendra Nath Pandey , this commit broke HADOOP-13890 . Could you check this?
          Hide
          xyao Xiaoyu Yao added a comment -

          Thanks Akira Ajisaka for the heads up. I just assigned HADOOP-13890 to myself and will investigate and fix it shortly.

          Show
          xyao Xiaoyu Yao added a comment - Thanks Akira Ajisaka for the heads up. I just assigned HADOOP-13890 to myself and will investigate and fix it shortly.
          Hide
          xyao Xiaoyu Yao added a comment - - edited

          Looks like a bug in KerberosName parsing where the SPNEGO principal used in these failed tests "HTTP/localhost" (without realm name) can not be parsed correctly. KerberosName returns "HTTP/localhost" as the service name and null hostname and null realm.

          I've posted a patch to fix the test SPNEGO principles to include the realm name.
          HADOOP-13891 is opened for KerberosName parsing issue.

          Show
          xyao Xiaoyu Yao added a comment - - edited Looks like a bug in KerberosName parsing where the SPNEGO principal used in these failed tests "HTTP/localhost" (without realm name) can not be parsed correctly. KerberosName returns "HTTP/localhost" as the service name and null hostname and null realm. I've posted a patch to fix the test SPNEGO principles to include the realm name. HADOOP-13891 is opened for KerberosName parsing issue.
          Hide
          daryn Daryn Sharp added a comment -

          I've been told this patch broke our testing pipelines. I don't have details but perhaps this patch should be considered for revert until we are sure what the problem(s) are.

          I'll look at this patch tomorrow.

          Show
          daryn Daryn Sharp added a comment - I've been told this patch broke our testing pipelines. I don't have details but perhaps this patch should be considered for revert until we are sure what the problem(s) are. I'll look at this patch tomorrow.
          Hide
          xyao Xiaoyu Yao added a comment -

          Thanks Daryn Sharp. The problem is in HADOOP-13565, we enforce an additional principal check requiring SPNEGO principal to have three complete parts: HTTP, hostname and realm. This prevents principal like HTTP/localhost from being used.

          By relaxing the requirement on realm parts, we maintain the support for principals like HTTP/host. Unlike the first two patches for HADOOP-13890, the 3rd one is a simpler fix that addresses the compatibility concerns without changing the original unit tests. To make this work, we also found and fixed the KerberosName parsing bug to handle principals like HTTP/host. Please review and let me know your thoughts.

          Show
          xyao Xiaoyu Yao added a comment - Thanks Daryn Sharp . The problem is in HADOOP-13565 , we enforce an additional principal check requiring SPNEGO principal to have three complete parts: HTTP, hostname and realm. This prevents principal like HTTP/localhost from being used. By relaxing the requirement on realm parts, we maintain the support for principals like HTTP/host. Unlike the first two patches for HADOOP-13890 , the 3rd one is a simpler fix that addresses the compatibility concerns without changing the original unit tests. To make this work, we also found and fixed the KerberosName parsing bug to handle principals like HTTP/host. Please review and let me know your thoughts.
          Hide
          ebadger Eric Badger added a comment -

          Can we revert this until the issues are fixed?

          Show
          ebadger Eric Badger added a comment - Can we revert this until the issues are fixed?

            People

            • Assignee:
              xyao Xiaoyu Yao
              Reporter:
              xyao Xiaoyu Yao
            • Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development