rzepinskip opened a new pull request, #19520: URL: https://github.com/apache/druid/pull/19520
<!-- Thanks for trying to help us make Apache Druid be the best it can be! Please fill out as much of the following information as is possible (where relevant, and remove it when irrelevant) to help make the intention and scope of this PR clear in order to ease review. --> <!-- Please read the doc for contribution (https://github.com/apache/druid/blob/master/CONTRIBUTING.md) before making this PR. Also, once you open a PR, please _avoid using force pushes and rebasing_ since these make it difficult for reviewers to see what you've changed in response to their reviews. See [the 'If your pull request shows conflicts with master' section](https://github.com/apache/druid/blob/master/CONTRIBUTING.md#if-your-pull-request-shows-conflicts-with-master) for more details. --> ### Description This PR fixes a bug in the `druid-kerberos` extension where an expired or empty Kerberos authentication cookie would short-circuit the entire authenticator chain, resulting in a persistent HTTP 403 error and preventing other authenticators (like LDAP) from handling the request. #### Fixed Kerberos authentication chain short-circuit When a Kerberos session expires, the browser may be left with an empty `hadoop.auth` cookie. Previously, `KerberosAuthenticator` would attempt to verify this empty cookie, causing a `SignerException` that blocked the rest of the authenticator chain. Key fixes: * **Cookie Deletion:** Added `Max-Age=0` to the `Set-Cookie` header when clearing the `hadoop.auth` cookie. Previously, the browser would treat the empty-value cookie as a session cookie rather than deleting it. * **Empty Cookie Handling:** Updated `getToken()` to explicitly check for empty cookie values. Empty cookies are now treated as "no cookie present," allowing the request to proceed to the next authenticator in the chain instead of throwing a 403 error. #### Code quality and test fixes * **Fixed compilation:** Added missing `mockito-core` dependency to `druid-kerberos` to resolve test compilation errors. * **Modernized Java:** Adopted Java 17 pattern variables and updated string checks to use `isEmpty()`. * **Resolved lint warnings:** * Replaced identity comparison (`!=`) for `AuthenticationToken.ANONYMOUS` with `.equals()`. * Added missing `@Nullable` annotations to standard override methods. * Marked internal configuration fields as `final`. #### Release note Fixed a bug in `druid-kerberos` where an expired authentication cookie could prevent other authenticators in the chain from working, causing a persistent 403 error. <hr> ##### Key changed/added classes in this PR * `KerberosAuthenticator` * `KerberosAuthenticatorTest` * `pom.xml` (druid-kerberos) <hr> This PR has: - [x] been self-reviewed. - [x] a release note entry in the PR description. - [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. - [x] been tested in a test Druid cluster. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
