Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
2.7.1
-
None
-
None
Description
The hadoop-auth AuthenticationFilter will invoke its handler even if a prior successful authentication has occurred in the current request. This primarily affects situations where multiple authentication mechanism has been configured. For example when core-site.xml's has hadoop.http.authentication.type=kerberos and yarn-site.xml has yarn.timeline-service.http-authentication.type=kerberos the result is an attempt to perform two Kerberos authentications for the same request. This in turn results in Kerberos triggering a replay attack detection. The javadocs for AuthenticationHandler (https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java) indicate for the authenticate method that
This method is invoked by the AuthenticationFilter only if the HTTP client request is not yet authenticated.
This does not appear to be the case in practice.
I've create a patch and tested on a limited number of functional use cases (e.g. the timeline-service issue noted above). If there is general agreement that the change is valid I'll add unit tests to the patch.