[
https://issues.apache.org/jira/browse/HDFS-4564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13873817#comment-13873817
]
Daryn Sharp commented on HDFS-4564:
-----------------------------------
This bug will trigger the NPE described HADOOP-9363. The authenticator
handling is flawed because the JDK will transparently SPNEGO auth, but webhdfs
will unnecessary interpret a login failure as fallback to pseudo auth. This
triggers another JDK bug resulting in a replay attack.
For some reason, if there are 16 persistent connections open (webhdfs tries to
disconnect, but the HttpURLConnection javadocs indicates it may not honor the
close and it certainly does not per tcpdump), the com.sun code will send the
OPTIONS request to a cached connection, and also immediately open a new
connection to send the same OPTIONS request. The new connection reuses the
cached connection's service ticket and boom - replay attack.
> Webhdfs returns incorrect http response codes for denied operations
> -------------------------------------------------------------------
>
> Key: HDFS-4564
> URL: https://issues.apache.org/jira/browse/HDFS-4564
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: webhdfs
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
>
> Webhdfs is returning 401 (Unauthorized) instead of 403 (Forbidden) when it's
> denying operations. Examples including rejecting invalid proxy user attempts
> and renew/cancel with an invalid user.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
