-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
8
-
x86_64
-
linux
A DESCRIPTION OF THE PROBLEM :
We found this bug when we use Apache Ranger.
The ranger client will pull policies from the ranger server every 30 seconds, which performs two HTTP requests (the first http request returns 401, followed by kerberos authentication, and then the second http request).
But from a certain moment on, ranger client only performs one HTTP request every 30 seconds, and after returning 401, no subsequent kerberos authentication or the second HTTP request with authentication is triggered.
Finally, we identified the problem in the sun.net.www.protocol.http.NegotiateAuthentication#isSupported(). If the first authentication with kerberos fails, the entry for ($hostname, false) will be saved in supported. After that, calling this method before each authentication will return the false value saved in supported, even if kerberos has returned to normal.
So I think a feasible way is to provide an api to clear NegotiateAuthentication#supported.
We found this bug when we use Apache Ranger.
The ranger client will pull policies from the ranger server every 30 seconds, which performs two HTTP requests (the first http request returns 401, followed by kerberos authentication, and then the second http request).
But from a certain moment on, ranger client only performs one HTTP request every 30 seconds, and after returning 401, no subsequent kerberos authentication or the second HTTP request with authentication is triggered.
Finally, we identified the problem in the sun.net.www.protocol.http.NegotiateAuthentication#isSupported(). If the first authentication with kerberos fails, the entry for ($hostname, false) will be saved in supported. After that, calling this method before each authentication will return the false value saved in supported, even if kerberos has returned to normal.
So I think a feasible way is to provide an api to clear NegotiateAuthentication#supported.