Hadoop Common
  1. Hadoop Common
  2. HADOOP-8249

invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0, 2.0.0-alpha
    • Fix Version/s: 1.2.0, 2.0.2-alpha
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      WebHdfs gives out cookies. But when the client passes them back, it'd sometimes reject them and return a HTTP 401 instead. ("Sometimes" as in after a restart.) The interesting thing is that if the client doesn't pass the cookie back, WebHdfs will be totally happy.

      The correct behaviour should be to ignore the cookie if it looks invalid, and attempt to proceed with the request handling.

      I haven't tried HttpFs to see whether it handles restart better.

      Reproducing it with curl:

      ####################################################
      ## Initial curl. Storing cookie to file.
      ####################################################
      
      [root@vbox2 ~]# curl -c /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Expires: Thu, 01-Jan-1970 00:00:00 GMT
      Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614686366&s=z2w5xpFlufnnEoOHxVRiXqxwtqM=";Path=/
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      ####################################################
      ## Another curl. Using the cookie jar.
      ####################################################
      
      [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      ####################################################
      ## Restart NN.
      ####################################################
      
      [root@vbox2 ~]# /etc/init.d/hadoop-hdfs-namenode restartStopping Hadoop namenode:                                  [  OK  ]
      stopping namenode
      Starting Hadoop namenode:                                  [  OK  ]
      starting namenode, logging to /var/log/hadoop-hdfs/hadoop-hdfs-namenode-vbox2.out
      
      ####################################################
      ## Curl using cookie jar gives error.
      ####################################################
      
      [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature
      Content-Type: text/html; charset=iso-8859-1
      Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
      Cache-Control: must-revalidate,no-cache,no-store
      Content-Length: 1520
      Server: Jetty(6.1.26)
      
      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
      <title>Error 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature</title>
      </head>
      <body><h2>HTTP ERROR 401</h2>
      <p>Problem accessing /webhdfs/v1/. Reason:
      <pre>    org.apache.hadoop.security.authentication.util.SignerException: Invalid signature</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>                                                
      ...
      
      ####################################################
      ## Curl without cookie jar is ok.
      ####################################################
      
      [root@vbox2 ~]# curl -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Expires: Thu, 01-Jan-1970 00:00:00 GMT
      Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614995947&s=IXSvPIDbNrqmZryivGeoey6Kjwo=";Path=/
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      1. HDFS-3198_branch-1.patch
        3 kB
        Alejandro Abdelnur
      2. HADOOP-8249.patch
        4 kB
        Alejandro Abdelnur

        Activity

        Hide
        Alejandro Abdelnur added a comment -

        the AuthenticationFilter logic now attempts to authenticate the request without doing a HTTP 401 if there is info avail in the request to perform the authentication.

        Show
        Alejandro Abdelnur added a comment - the AuthenticationFilter logic now attempts to authenticate the request without doing a HTTP 401 if there is info avail in the request to perform the authentication.
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 3 new or modified tests.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in .

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//console This message is automatically generated.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 3 new or modified tests.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests:
        org.apache.hadoop.fs.viewfs.TestViewFsTrash

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//console This message is automatically generated.
        Hide
        Alejandro Abdelnur added a comment -

        test failure is unrelated

        Show
        Alejandro Abdelnur added a comment - test failure is unrelated
        Hide
        Eli Collins added a comment -

        +1 looks good

        Style nit: the catch and else clause go on the same line as the bracket

        Show
        Eli Collins added a comment - +1 looks good Style nit: the catch and else clause go on the same line as the bracket
        Hide
        Alejandro Abdelnur added a comment -

        committed to trunk and branch-2

        Show
        Alejandro Abdelnur added a comment - committed to trunk and branch-2
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk-Commit #2089 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2089/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #2089 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2089/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #2014 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2014/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #2014 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2014/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk-Commit #2028 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2028/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #2028 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2028/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk #1006 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1006/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = FAILURE
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1006 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1006/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk #1041 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1041/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1041 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1041/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Alejandro Abdelnur added a comment -

        we need backport for hadoop 1

        Show
        Alejandro Abdelnur added a comment - we need backport for hadoop 1
        Hide
        Alejandro Abdelnur added a comment -

        patch for branch-1

        Show
        Alejandro Abdelnur added a comment - patch for branch-1
        Hide
        Alejandro Abdelnur added a comment -

        committed to branch-1

        Show
        Alejandro Abdelnur added a comment - committed to branch-1
        Hide
        Daryn Sharp added a comment -

        Just a question, did you test if MR jobs gracefully handle the re-auth response? I'm presuming the job won't have the credentials for a re-auth, so hopefully it makes the job "gracefully" fail?

        Show
        Daryn Sharp added a comment - Just a question, did you test if MR jobs gracefully handle the re-auth response? I'm presuming the job won't have the credentials for a re-auth, so hopefully it makes the job "gracefully" fail?

          People

          • Assignee:
            Alejandro Abdelnur
            Reporter:
            bc Wong
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development