Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15518

Authentication filter calling handler after request already authenticated

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Patch Available
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.7.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      The hadoop-auth AuthenticationFilter will invoke its handler even if a prior successful authentication has occurred in the current request.  This primarily affects situations where multiple authentication mechanism has been configured.  For example when core-site.xml's has hadoop.http.authentication.type=kerberos and yarn-site.xml has yarn.timeline-service.http-authentication.type=kerberos the result is an attempt to perform two Kerberos authentications for the same request.  This in turn results in Kerberos triggering a replay attack detection.  The javadocs for AuthenticationHandler (https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java) indicate for the authenticate method that

      This method is invoked by the AuthenticationFilter only if the HTTP client request is not yet authenticated.

      This does not appear to be the case in practice.

      I've create a patch and tested on a limited number of functional use cases (e.g. the timeline-service issue noted above).  If there is general agreement that the change is valid I'll add unit tests to the patch.

       

        Attachments

        1. HADOOP-15518-001.patch
          2 kB
          Kevin Minder

          Issue Links

            Activity

              People

              • Assignee:
                kminder Kevin Minder
                Reporter:
                kminder Kevin Minder
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: