Hadoop Common
  1. Hadoop Common
  2. HADOOP-8816

HTTP Error 413 full HEAD if using kerberos authentication

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.1-alpha
    • Fix Version/s: 2.0.3-alpha, 0.23.7
    • Component/s: net
    • Labels:
      None
    • Environment:

      ubuntu linux with active directory kerberos.

      Description

      The HTTP Authentication: header is too large if using kerberos and the request is rejected by Jetty because Jetty has a too low default header size limit.

      Can be fixed by adding ret.setHeaderBufferSize(1024*128); in org.apache.hadoop.http.HttpServer.createDefaultChannelConnector

      1. HADOOP-8816.patch
        3 kB
        Alejandro Abdelnur
      2. hadoop-common-kerberos-increase-http-header-buffer-size.patch
        0.4 kB
        Moritz Moeller

        Issue Links

          Activity

          Hide
          Alejandro Abdelnur added a comment -

          128K as header buffer size seems a bit too big.

          Could this be related to this? http://www.novell.com/communities/node/11516/kerberos-authentication-may-fail-access-manager-identity-server-users-large-group-members

          Would be possible to get the actual header size that is making things to fail?

          Show
          Alejandro Abdelnur added a comment - 128K as header buffer size seems a bit too big. Could this be related to this? http://www.novell.com/communities/node/11516/kerberos-authentication-may-fail-access-manager-identity-server-users-large-group-members Would be possible to get the actual header size that is making things to fail?
          Hide
          Alejandro Abdelnur added a comment -

          Also, if we tweak the header buffer size, we should doing it in a configurable way.

          Show
          Alejandro Abdelnur added a comment - Also, if we tweak the header buffer size, we should doing it in a configurable way.
          Hide
          Moritz Moeller added a comment -

          No, Kerberos tokens do not contain group membership information, but tend to get pretty large, 4-8k base64 encoded.
          I guess 16kb header size would be enough.

          Making that configurable is your choice, I personally wouldn't as I know no things that cause header sizes larger than Kerberos, but then if it was configurable already this ticket wouldn't exist.

          Show
          Moritz Moeller added a comment - No, Kerberos tokens do not contain group membership information, but tend to get pretty large, 4-8k base64 encoded. I guess 16kb header size would be enough. Making that configurable is your choice, I personally wouldn't as I know no things that cause header sizes larger than Kerberos, but then if it was configurable already this ticket wouldn't exist.
          Hide
          Moritz Moeller added a comment -

          attached is a patch that changes the header buffer size to 64kb.

          32kb is the highest suggested value that I found in the following pages that deal with the same problem:
          https://issues.alfresco.com/jira/browse/ALF-13810
          https://issues.apache.org/bugzilla/show_bug.cgi?id=42003

          I know no disadvantages of a higher header buffer size limit.

          Show
          Moritz Moeller added a comment - attached is a patch that changes the header buffer size to 64kb. 32kb is the highest suggested value that I found in the following pages that deal with the same problem: https://issues.alfresco.com/jira/browse/ALF-13810 https://issues.apache.org/bugzilla/show_bug.cgi?id=42003 I know no disadvantages of a higher header buffer size limit.
          Hide
          Alejandro Abdelnur added a comment -

          I've just added a testcase to Moritz' patch.

          Show
          Alejandro Abdelnur added a comment - I've just added a testcase to Moritz' patch.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12564524/HADOOP-8816.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/2031//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/2031//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12564524/HADOOP-8816.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/2031//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/2031//console This message is automatically generated.
          Hide
          Eli Collins added a comment -

          +1 looks good

          How about adding a comment to the test where you check the 63kb length that the buffer size set is for ALL headers which is why you're only adding a 63kb header when the limit is 64kb (leaving 1kb room for other headers). No need to spin a new patch for just adding this comment IMO.

          Show
          Eli Collins added a comment - +1 looks good How about adding a comment to the test where you check the 63kb length that the buffer size set is for ALL headers which is why you're only adding a 63kb header when the limit is 64kb (leaving 1kb room for other headers). No need to spin a new patch for just adding this comment IMO.
          Hide
          Alejandro Abdelnur added a comment -

          Thanks Mortiz. Committed to trunk and branch-1.

          Show
          Alejandro Abdelnur added a comment - Thanks Mortiz. Committed to trunk and branch-1.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-trunk-Commit #3240 (See https://builds.apache.org/job/Hadoop-trunk-Commit/3240/)
          HADOOP-8816. HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567)

          Result = SUCCESS
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Show
          Hudson added a comment - Integrated in Hadoop-trunk-Commit #3240 (See https://builds.apache.org/job/Hadoop-trunk-Commit/3240/ ) HADOOP-8816 . HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Yarn-trunk #98 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/98/)
          HADOOP-8816. HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567)

          Result = SUCCESS
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Show
          Hudson added a comment - Integrated in Hadoop-Yarn-trunk #98 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/98/ ) HADOOP-8816 . HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk #1287 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1287/)
          HADOOP-8816. HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567)

          Result = FAILURE
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1287 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1287/ ) HADOOP-8816 . HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk #1315 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1315/)
          HADOOP-8816. HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567)

          Result = FAILURE
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1315 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1315/ ) HADOOP-8816 . HTTP Error 413 full HEAD if using kerberos authentication. (moritzmoeller via tucu) (Revision 1433567) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1433567 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Hide
          Daryn Sharp added a comment -

          I pulled this back into 23. We may want to consider marking this an incompatible or making it a config option because the new 64K buffer causes the tests to hang on OS X, whereas it's fine up to 32K. I haven't debugged why yet.

          Show
          Daryn Sharp added a comment - I pulled this back into 23. We may want to consider marking this an incompatible or making it a config option because the new 64K buffer causes the tests to hang on OS X, whereas it's fine up to 32K. I haven't debugged why yet.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-0.23-Build #553 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/553/)
          HADOOP-8816. HTTP Error 413 full HEAD if using kerberos authentication (daryn) (Revision 1455974)

          Result = SUCCESS
          daryn : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1455974
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-0.23-Build #553 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/553/ ) HADOOP-8816 . HTTP Error 413 full HEAD if using kerberos authentication (daryn) (Revision 1455974) Result = SUCCESS daryn : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1455974 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java

            People

            • Assignee:
              Moritz Moeller
              Reporter:
              Moritz Moeller
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development