Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-8830

org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Patch Available
    • Critical
    • Resolution: Unresolved
    • 2.0.1-alpha, 2.1.0-beta, 2.1.1-beta, 2.2.0
    • None
    • None

    Description

      AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).

      The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser() returns non-null info.

      If the kerberos authentication is triggered a second time it'll return a replay attack exception.

      I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning of doFilter.

      Alternatively one can set an attribute on the request, or figure out why doFilter is called twice.

      Attachments

        1. HADOOP-8830.20131027.1.patch
          6 kB
          Omkar Vinit Joshi
        2. HADOOP-8830.20131026.1.patch
          3 kB
          Omkar Vinit Joshi

        Issue Links

          duplicates

          Sub-task - The sub-task of the issue YARN-621 RM triggers web auth failure before first job

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-9521 krb5 replay error triggers log file DoS with Safari

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Activity

            People

              ojoshi Omkar Vinit Joshi
              moritzmoeller Moritz Moeller
              Votes:
              3 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated: