[ https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14116350#comment-14116350 ]
Hudson commented on HADOOP-10710: --------------------------------- FAILURE: Integrated in Hadoop-Yarn-trunk #664 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/664/]) HADOOP-10911. hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109. (gchanan via tucu) (tucu: rev 156e6a4f8aed69febec408af423b2a8ac313c643) * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/TestKerberosAuthenticator.java * hadoop-common-project/hadoop-common/CHANGES.txt * hadoop-common-project/hadoop-auth/pom.xml * hadoop-project/pom.xml * hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/client/AuthenticatorTestCase.java * hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java > hadoop.auth cookie is not properly constructed according to RFC2109 > ------------------------------------------------------------------- > > Key: HADOOP-10710 > URL: https://issues.apache.org/jira/browse/HADOOP-10710 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.4.0 > Reporter: Alejandro Abdelnur > Assignee: Juan Yu > Fix For: 2.5.0 > > Attachments: HADOOP-10710.001.patch, HADOOP-10710.002.patch, > HADOOP-10710.003.patch, HADOOP-10710.004.patch, HADOOP-10710.005.patch, > HADOOP-10710.006.patch, HADOOP-10710.007.patch > > > It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are > being constructed. > Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}} > class and corresponding {{HttpServletResponse}} methods. This was taking care > of setting attributes like 'Version=1' and double-quoting the cookie value if > necessary. > HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and > setting values and attributes by hand. This is not taking care of setting > required attributes like Version and escaping the cookie value. > While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is > breaking access done using {{HtttpClient}}. I.e. Solr uses HttpClient and its > access is broken since this change. > It seems that HADOOP-10379 main objective was to set the 'secure' attribute. > Note this can be done using the {{Cookie}} API. > We should revert the cookie creation logic to use the {{Cookie}} API and take > care of the security flag via {{setSecure(boolean)}}. -- This message was sent by Atlassian JIRA (v6.2#6252)