Hadoop Common
  1. Hadoop Common
  2. HADOOP-8249

invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0, 2.0.0-alpha
    • Fix Version/s: 1.2.0, 2.0.2-alpha
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      WebHdfs gives out cookies. But when the client passes them back, it'd sometimes reject them and return a HTTP 401 instead. ("Sometimes" as in after a restart.) The interesting thing is that if the client doesn't pass the cookie back, WebHdfs will be totally happy.

      The correct behaviour should be to ignore the cookie if it looks invalid, and attempt to proceed with the request handling.

      I haven't tried HttpFs to see whether it handles restart better.

      Reproducing it with curl:

      ####################################################
      ## Initial curl. Storing cookie to file.
      ####################################################
      
      [root@vbox2 ~]# curl -c /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Expires: Thu, 01-Jan-1970 00:00:00 GMT
      Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614686366&s=z2w5xpFlufnnEoOHxVRiXqxwtqM=";Path=/
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      ####################################################
      ## Another curl. Using the cookie jar.
      ####################################################
      
      [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      ####################################################
      ## Restart NN.
      ####################################################
      
      [root@vbox2 ~]# /etc/init.d/hadoop-hdfs-namenode restartStopping Hadoop namenode:                                  [  OK  ]
      stopping namenode
      Starting Hadoop namenode:                                  [  OK  ]
      starting namenode, logging to /var/log/hadoop-hdfs/hadoop-hdfs-namenode-vbox2.out
      
      ####################################################
      ## Curl using cookie jar gives error.
      ####################################################
      
      [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature
      Content-Type: text/html; charset=iso-8859-1
      Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
      Cache-Control: must-revalidate,no-cache,no-store
      Content-Length: 1520
      Server: Jetty(6.1.26)
      
      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
      <title>Error 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature</title>
      </head>
      <body><h2>HTTP ERROR 401</h2>
      <p>Problem accessing /webhdfs/v1/. Reason:
      <pre>    org.apache.hadoop.security.authentication.util.SignerException: Invalid signature</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>                                                
      ...
      
      ####################################################
      ## Curl without cookie jar is ok.
      ####################################################
      
      [root@vbox2 ~]# curl -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Expires: Thu, 01-Jan-1970 00:00:00 GMT
      Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614995947&s=IXSvPIDbNrqmZryivGeoey6Kjwo=";Path=/
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      1. HADOOP-8249.patch
        4 kB
        Alejandro Abdelnur
      2. HDFS-3198_branch-1.patch
        3 kB
        Alejandro Abdelnur

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Alejandro Abdelnur
            Reporter:
            bc Wong
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development