Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15681

AuthenticationFilter should generate valid date format for Set-Cookie header regardless of default Locale

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 3.2.0
    • 3.3.0, 3.2.1, 3.1.3
    • security
    • None

    Description

      Hi guys,

      When I try to set up Hadoop Kerberos authentication for Solr (HTTP2), I met this exception:

      java.lang.IllegalArgumentException: null
      	at org.eclipse.jetty.http2.hpack.Huffman.octetsNeeded(Huffman.java:435) ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.hpack.Huffman.octetsNeeded(Huffman.java:409) ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.hpack.HpackEncoder.encodeValue(HpackEncoder.java:368) ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.hpack.HpackEncoder.encode(HpackEncoder.java:302) ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.hpack.HpackEncoder.encode(HpackEncoder.java:179) ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.generator.HeadersGenerator.generateHeaders(HeadersGenerator.java:72) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.generator.HeadersGenerator.generate(HeadersGenerator.java:56) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.generator.Generator.control(Generator.java:80) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.HTTP2Session$ControlEntry.generate(HTTP2Session.java:1163) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.HTTP2Flusher.process(HTTP2Flusher.java:184) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.IteratingCallback.processing(IteratingCallback.java:241) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.IteratingCallback.iterate(IteratingCallback.java:224) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.HTTP2Session.frame(HTTP2Session.java:685) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.HTTP2Session.frames(HTTP2Session.java:657) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.HTTP2Stream.headers(HTTP2Stream.java:107) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.server.HttpTransportOverHTTP2.sendHeadersFrame(HttpTransportOverHTTP2.java:235) ~[http2-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.server.HttpTransportOverHTTP2.send(HttpTransportOverHTTP2.java:134) ~[http2-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpChannel.sendResponse(HttpChannel.java:790) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpChannel.write(HttpChannel.java:846) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpOutput.write(HttpOutput.java:240) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpOutput.write(HttpOutput.java:216) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpOutput.close(HttpOutput.java:298) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpWriter.close(HttpWriter.java:49) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.ResponseWriter.close(ResponseWriter.java:163) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.Response.closeOutput(Response.java:1038) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ErrorHandler.generateAcceptableResponse(ErrorHandler.java:178) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ErrorHandler.doError(ErrorHandler.java:142) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ErrorHandler.handle(ErrorHandler.java:78) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.Response.sendError(Response.java:655) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:158) ~[javax.servlet-api-3.1.0.jar:3.1.0]
      	at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:158) ~[javax.servlet-api-3.1.0.jar:3.1.0]
      	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:580) ~[hadoop-auth-2.7.4.jar:?]
      	at org.apache.solr.security.DelegationTokenKerberosFilter.doFilter(DelegationTokenKerberosFilter.java:134) ~[java/:?]
      	at org.apache.solr.security.KerberosPlugin.doAuthenticate(KerberosPlugin.java:270) ~[java/:?]
      	at org.apache.solr.servlet.SolrDispatchFilter.authenticateRequest(SolrDispatchFilter.java:452) ~[java/:?]
      	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:347) ~[java/:?]
      	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:324) ~[java/:?]
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) ~[jetty-servlet-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.apache.solr.client.solrj.embedded.JettySolrRunner$DebugFilter.doFilter(JettySolrRunner.java:140) ~[java/:?]
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) ~[jetty-servlet-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) ~[jetty-servlet-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) ~[jetty-servlet-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:674) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.Server.handle(Server.java:531) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:293) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:132) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.HTTP2Connection.produce(HTTP2Connection.java:178) ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http2.server.HTTP2ServerConnection.onOpen(HTTP2ServerConnection.java:148) ~[http2-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.io.AbstractEndPoint.upgrade(AbstractEndPoint.java:440) ~[jetty-io-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpConnection.onCompleted(HttpConnection.java:385) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpChannelOverHttp.upgrade(HttpChannelOverHttp.java:481) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpChannelOverHttp.headerComplete(HttpChannelOverHttp.java:372) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http.HttpParser.handleHeaderContentMessage(HttpParser.java:594) ~[jetty-http-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http.HttpParser.parseFields(HttpParser.java:1219) ~[jetty-http-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1508) ~[jetty-http-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpConnection.parseRequestBuffer(HttpConnection.java:360) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:250) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) ~[jetty-io-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) ~[jetty-io-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) ~[jetty-io-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:132) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762) [jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680) [jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605]
      	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
      

      This error comes from Jetty Hpack when it tries to compress this header

            Set-Cookie: hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Déar, 01-Ean-1970 00:00:00 GMT; HttpOnly
      

      Déar mean Thursday in Ireland and Jetty Hpack can't encode Unicode character. That header is generated by org.apache.hadoop.security.authentication.server.AuthenticationFilter.createAuthCookie()

      I posted this problem to the Jetty community and Greg said that (https://github.com/eclipse/jetty.project/issues/2815)

      I'm pretty sure that unicode characters are not legal for HTTP field values, as RFC7230 says:

      Historically, HTTP has allowed field content with text in the
      ISO-8859-1 charset [ISO-8859-1], supporting other charsets only
      through use of [RFC2047] encoding. In practice, most HTTP header
      field values use only a subset of the US-ASCII charset [USASCII].
      Newly defined header fields SHOULD limit their field values to
      US-ASCII octets. A recipient SHOULD treat other octets in field
      content (obs-text) as opaque data.

      So I don't think that header is legal... but it should not fail in hpack, whose RFC says it should treat fields as opaque octets!

      Therefore I think preventing Unicode character generated from AuthenticationFilter should be a good idea.

      Attachments

        1. HADOOP-15681.patch
          1.0 kB
          Cao Manh Dat

        Issue Links

          Activity

            People

              caomanhdat Cao Manh Dat
              caomanhdat Cao Manh Dat
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: