[HIVE-22841] ThriftHttpServlet#getClientNameFromCookie should handle CookieSigner IllegalArgumentException on invalid cookie signature - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.0.0-alpha-1
Component/s: HiveServer2
Labels:
None

Description

Currently CookieSigner throws an IllegalArgumentException if the cookie signature is invalid.

if (!MessageDigest.isEqual(originalSignature.getBytes(), currentSignature.getBytes())) {
      throw new IllegalArgumentException("Invalid sign, original = " + originalSignature +
        " current = " + currentSignature);
    }

CookieSigner is only used in the ThriftHttpServlet#getClientNameFromCookie and doesn't handle the IllegalArgumentException. It is only checking if the value from the cookie is null or not.

https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java#L295

      currValue = signer.verifyAndExtract(currValue);
      // Retrieve the user name, do the final validation step.
      if (currValue != null) {

This should be fixed to either:
a) Have CookieSigner not return an IllegalArgumentException
b) Improve ThriftHttpServlet to handle CookieSigner throwing an IllegalArgumentException

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-22841.1.patch
10/Feb/20 17:19
20 kB
Kevin Risden
HIVE-22841.2.patch
11/Feb/20 16:19
21 kB
Kevin Risden
HIVE-22841.3.patch
16/Mar/20 14:12
21 kB
Kevin Risden

Issue Links

relates to

HIVE-9710 HiveServer2 should support cookie based authentication, when using HTTP transport.

Closed

Activity

People

Assignee:: Kevin Risden

Reporter:: Kevin Risden

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 06/Feb/20 15:00

Updated:: 17/Nov/22 08:51

Resolved:: 18/Mar/20 06:02