Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-14687

AuthenticatedURL will reuse bad/expired session cookies

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.6.0
    • 2.9.0, 3.0.0-beta1, 2.8.2
    • common
    • None
    • Reviewed

    Description

      AuthenticatedURL with kerberos was designed to perform spnego, then use a session cookie to avoid renegotiation overhead. Unfortunately the client will continue to use a cookie after it expires. Every request elicits a 401, connection closes (despite keepalive because 401 is an "error"), TGS is obtained, connection re-opened, re-requests with TGS, repeat cycle. This places a strain on the kdc and creates lots of time_wait sockets.

      The main problem is unbeknownst to the auth url, the JDK transparently does spnego. The server issues a new cookie but the auth url doesn't scrape the cookie from the response because it doesn't know the JDK re-authenticated.

      Attachments

        1. HADOOP-14687.trunk.patch
          28 kB
          Daryn Sharp
        2. HADOOP-14687.branch-2.8.patch
          29 kB
          Daryn Sharp
        3. HADOOP-14687.2.trunk.patch
          29 kB
          Daryn Sharp

        Activity

          People

            daryn Daryn Sharp
            daryn Daryn Sharp
            Votes:
            0 Vote for this issue
            Watchers:
            17 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: