[HADOOP-14687] AuthenticatedURL will reuse bad/expired session cookies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.6.0
Fix Version/s: 2.9.0, 3.0.0-beta1, 2.8.2
Component/s: common
Labels:
None

Target Version/s:

2.8.2
Hadoop Flags:

Reviewed

Description

AuthenticatedURL with kerberos was designed to perform spnego, then use a session cookie to avoid renegotiation overhead. Unfortunately the client will continue to use a cookie after it expires. Every request elicits a 401, connection closes (despite keepalive because 401 is an "error"), TGS is obtained, connection re-opened, re-requests with TGS, repeat cycle. This places a strain on the kdc and creates lots of time_wait sockets.

The main problem is unbeknownst to the auth url, the JDK transparently does spnego. The server issues a new cookie but the auth url doesn't scrape the cookie from the response because it doesn't know the JDK re-authenticated.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-14687.trunk.patch
18/Aug/17 14:55
28 kB
Daryn Sharp
HADOOP-14687.2.trunk.patch
18/Aug/17 21:04
29 kB
Daryn Sharp
HADOOP-14687.branch-2.8.patch
22/Aug/17 15:54
29 kB
Daryn Sharp

Activity

People

Assignee:: Daryn Sharp

Reporter:: Daryn Sharp

Votes:: 0 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: 26/Jul/17 13:22

Updated:: 16/Mar/18 02:10

Resolved:: 22/Aug/17 21:59