Hadoop Common
  1. Hadoop Common
  2. HADOOP-8249

invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0, 2.0.0-alpha
    • Fix Version/s: 1.2.0, 2.0.2-alpha
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      WebHdfs gives out cookies. But when the client passes them back, it'd sometimes reject them and return a HTTP 401 instead. ("Sometimes" as in after a restart.) The interesting thing is that if the client doesn't pass the cookie back, WebHdfs will be totally happy.

      The correct behaviour should be to ignore the cookie if it looks invalid, and attempt to proceed with the request handling.

      I haven't tried HttpFs to see whether it handles restart better.

      Reproducing it with curl:

      ####################################################
      ## Initial curl. Storing cookie to file.
      ####################################################
      
      [root@vbox2 ~]# curl -c /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Expires: Thu, 01-Jan-1970 00:00:00 GMT
      Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614686366&s=z2w5xpFlufnnEoOHxVRiXqxwtqM=";Path=/
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      ####################################################
      ## Another curl. Using the cookie jar.
      ####################################################
      
      [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      ####################################################
      ## Restart NN.
      ####################################################
      
      [root@vbox2 ~]# /etc/init.d/hadoop-hdfs-namenode restartStopping Hadoop namenode:                                  [  OK  ]
      stopping namenode
      Starting Hadoop namenode:                                  [  OK  ]
      starting namenode, logging to /var/log/hadoop-hdfs/hadoop-hdfs-namenode-vbox2.out
      
      ####################################################
      ## Curl using cookie jar gives error.
      ####################################################
      
      [root@vbox2 ~]# curl -b /tmp/webhdfs.cookie -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature
      Content-Type: text/html; charset=iso-8859-1
      Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
      Cache-Control: must-revalidate,no-cache,no-store
      Content-Length: 1520
      Server: Jetty(6.1.26)
      
      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
      <title>Error 401 org.apache.hadoop.security.authentication.util.SignerException: Invalid signature</title>
      </head>
      <body><h2>HTTP ERROR 401</h2>
      <p>Problem accessing /webhdfs/v1/. Reason:
      <pre>    org.apache.hadoop.security.authentication.util.SignerException: Invalid signature</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>                                                
      ...
      
      ####################################################
      ## Curl without cookie jar is ok.
      ####################################################
      
      [root@vbox2 ~]# curl -i 'http://localhost:50070/webhdfs/v1/?op=LISTSTATUS&user.name=bcwalrus'
      HTTP/1.1 200 OK
      Content-Type: application/json
      Expires: Thu, 01-Jan-1970 00:00:00 GMT
      Set-Cookie: hadoop.auth="u=bcwalrus&p=bcwalrus&t=simple&e=1333614995947&s=IXSvPIDbNrqmZryivGeoey6Kjwo=";Path=/
      Content-Length: 597
      Server: Jetty(6.1.26)
      
      {"FileStatuses":{"FileStatus":[
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577906198,"owner":"mapred","pathSuffix":"tmp","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333577511848,"owner":"hdfs","pathSuffix":"user","permission":"1777","replication":0,"type":"DIRECTORY"},
      {"accessTime":0,"blockSize":0,"group":"supergroup","length":0,"modificationTime":1333428745116,"owner":"mapred","pathSuffix":"var","permission":"755","replication":0,"type":"DIRECTORY"}
      ]}}
      
      1. HDFS-3198_branch-1.patch
        3 kB
        Alejandro Abdelnur
      2. HADOOP-8249.patch
        4 kB
        Alejandro Abdelnur

        Activity

        bc Wong created issue -
        Alejandro Abdelnur made changes -
        Field Original Value New Value
        Project Hadoop HDFS [ 12310942 ] Hadoop Common [ 12310240 ]
        Key HDFS-3198 HADOOP-8249
        Affects Version/s 0.23.1 [ 12318884 ]
        Affects Version/s 2.0.0 [ 12320352 ]
        Affects Version/s 0.23.1 [ 12318885 ]
        Component/s security [ 12312526 ]
        Component/s name-node [ 12312926 ]
        Alejandro Abdelnur made changes -
        Summary webhdfs does not honour its own cookies invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401
        Assignee Alejandro Abdelnur [ tucu00 ]
        Hide
        Alejandro Abdelnur added a comment -

        the AuthenticationFilter logic now attempts to authenticate the request without doing a HTTP 401 if there is info avail in the request to perform the authentication.

        Show
        Alejandro Abdelnur added a comment - the AuthenticationFilter logic now attempts to authenticate the request without doing a HTTP 401 if there is info avail in the request to perform the authentication.
        Alejandro Abdelnur made changes -
        Attachment HADOOP-8249.patch [ 12521475 ]
        Alejandro Abdelnur made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Fix Version/s 2.0.0 [ 12320352 ]
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 3 new or modified tests.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in .

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/822//console This message is automatically generated.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 3 new or modified tests.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests:
        org.apache.hadoop.fs.viewfs.TestViewFsTrash

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12521475/HADOOP-8249.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/824//console This message is automatically generated.
        Hide
        Alejandro Abdelnur added a comment -

        test failure is unrelated

        Show
        Alejandro Abdelnur added a comment - test failure is unrelated
        Hide
        Eli Collins added a comment -

        +1 looks good

        Style nit: the catch and else clause go on the same line as the bracket

        Show
        Eli Collins added a comment - +1 looks good Style nit: the catch and else clause go on the same line as the bracket
        Hide
        Alejandro Abdelnur added a comment -

        committed to trunk and branch-2

        Show
        Alejandro Abdelnur added a comment - committed to trunk and branch-2
        Alejandro Abdelnur made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Hadoop Flags Reviewed [ 10343 ]
        Resolution Fixed [ 1 ]
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk-Commit #2089 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2089/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #2089 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2089/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #2014 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2014/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #2014 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2014/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk-Commit #2028 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2028/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #2028 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2028/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk #1006 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1006/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = FAILURE
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1006 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1006/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk #1041 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1041/)
        HADOOP-8249. invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235)

        Result = SUCCESS
        tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235
        Files :

        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1041 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1041/ ) HADOOP-8249 . invalid hadoop-auth cookies should trigger authentication if info is avail before returning HTTP 401 (tucu) (Revision 1310235) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1310235 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        Alejandro Abdelnur added a comment -

        we need backport for hadoop 1

        Show
        Alejandro Abdelnur added a comment - we need backport for hadoop 1
        Alejandro Abdelnur made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Hide
        Alejandro Abdelnur added a comment -

        patch for branch-1

        Show
        Alejandro Abdelnur added a comment - patch for branch-1
        Alejandro Abdelnur made changes -
        Attachment HDFS-3198_branch-1.patch [ 12521809 ]
        Alejandro Abdelnur made changes -
        Affects Version/s 1.1.0 [ 12316501 ]
        Affects Version/s 0.23.1 [ 12318884 ]
        Arun C Murthy made changes -
        Fix Version/s 2.0.1-alpha [ 12321441 ]
        Fix Version/s 2.0.0-alpha [ 12320352 ]
        Hide
        Alejandro Abdelnur added a comment -

        committed to branch-1

        Show
        Alejandro Abdelnur added a comment - committed to branch-1
        Alejandro Abdelnur made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Fix Version/s 1.2.0 [ 12321659 ]
        Resolution Fixed [ 1 ]
        Hide
        Daryn Sharp added a comment -

        Just a question, did you test if MR jobs gracefully handle the re-auth response? I'm presuming the job won't have the credentials for a re-auth, so hopefully it makes the job "gracefully" fail?

        Show
        Daryn Sharp added a comment - Just a question, did you test if MR jobs gracefully handle the re-auth response? I'm presuming the job won't have the credentials for a re-auth, so hopefully it makes the job "gracefully" fail?
        Arun C Murthy made changes -
        Fix Version/s 2.0.2-alpha [ 12322473 ]
        Fix Version/s 2.1.0-alpha [ 12321441 ]
        Arun C Murthy made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Alejandro Abdelnur
            Reporter:
            bc Wong
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development