Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-14327

KerberosAuthenticationHandler#authenticate throws meaningless exception when server principals set is empty

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Patch Available
    • Minor
    • Resolution: Unresolved
    • 3.0.0-alpha2
    • None
    • security
    • None

    Description

      If somehow KerberosAuthenticationHandler#authenticate gets an empty service principal set, it throws a useless exception like the following:

      2017-04-19 10:11:39,812 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: org.apache.hadoop.security.authentication.client.AuthenticationExceptio
n
org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.client.AuthenticationException
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:452)
        at org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler.authenticate(MultiSchemeAuthenticationHandler.java:193)
        at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:400)
        at org.apache.hadoop.security.token.delegation.web.MultiSchemeDelegationTokenAuthenticationHandler.authenticate(MultiSchemeDelegationTokenAuthenticationHandler.java:180)
        at org.apache.solr.security.RequestContinuesRecorderAuthenticationHandler.authenticate(RequestContinuesRecorderAuthenticationHandler.java:69)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:532)

      The following code has a logic error. If serverPrincipals is empty, token remains null in the end, but lastException is also null too, so throwing it is meaningless. It should throw with a more meaningful message.

      KerberosAuthenticationHandler#authenticate
                      AuthenticationToken token = null;
                Exception lastException = null;
                for (String serverPrincipal : serverPrincipals) {
                  try {
                    token = runWithPrincipal(serverPrincipal, clientToken,
                        base64, response);
                  } catch (Exception ex) {
                    lastException = ex;
                    LOG.trace("Auth {} failed with {}", serverPrincipal, ex);
                  } finally {
                      if (token != null) {
                        LOG.trace("Auth {} successfully", serverPrincipal);
                        break;
                    }
                  }
                }
                if (token != null) {
                  return token;
                } else {
                  throw new AuthenticationException(lastException);
                }

      Attachments

        1. HADOOP-14327.001.patch
          7 kB
          Yuanbo Liu

        Issue Links

          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12649 Improve Kerberos diagnostics and failure handling

          • Major - Major loss of function.
          • Open

          Activity

            People

              yuanbo Yuanbo Liu
              weichiu Wei-Chiu Chuang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: