Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15518

Authentication filter calling handler after request already authenticated


    • Type: Bug
    • Status: Patch Available
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.7.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:


      The hadoop-auth AuthenticationFilter will invoke its handler even if a prior successful authentication has occurred in the current request.  This primarily affects situations where multiple authentication mechanism has been configured.  For example when core-site.xml's has hadoop.http.authentication.type=kerberos and yarn-site.xml has yarn.timeline-service.http-authentication.type=kerberos the result is an attempt to perform two Kerberos authentications for the same request.  This in turn results in Kerberos triggering a replay attack detection.  The javadocs for AuthenticationHandler (https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java) indicate for the authenticate method that

      This method is invoked by the AuthenticationFilter only if the HTTP client request is not yet authenticated.

      This does not appear to be the case in practice.

      I've create a patch and tested on a limited number of functional use cases (e.g. the timeline-service issue noted above).  If there is general agreement that the change is valid I'll add unit tests to the patch.



          Issue Links



              • Assignee:
                kminder Kevin Minder
                kminder Kevin Minder
              • Votes:
                0 Vote for this issue
                8 Start watching this issue


                • Created: