Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential data corruption issue for OCI HDFS Connector with RefreshableOnNotAuthenticatedProvider #35

Open
mricken opened this issue Oct 30, 2020 · 1 comment

Comments

@mricken
Copy link
Member

mricken commented Oct 30, 2020

Update 2020-11-03: We believe we have fixed this issue in version 3.2.1.3. If you are using a RefreshableOnNotAuthenticatedProvider (Instance Principals or Resource Principals, for example), we urge you to update to version 3.2.1.3 or later.

Original issue
If you are using any of the OCI HDFS Connector and you use a RefreshableOnNotAuthenticatedProvider (e.g. InstancePrincipalsCustomAuthenticator, or generally for Resource Principals or Instance Principals) you may be affected by silent data corruption.

Description

When using a RefreshableOnNotAuthenticatedProvider, the OCI Java SDK will attempt to acquire a new security token when receiving a 401 response, which indicates authentication problems, and then automatically retry the request. In this situation, the clients fail to reset the stream position for requests that upload streams. As a result, an empty stream is successfully uploaded, and success may be returned, even though the actual stream content was not uploaded.

Affected and Not Affected Code

It only happens when an authentication details provider that implements RefreshableOnNotAuthenticatedProvider is used, e.g.:

  • Affected: InstancePrincipalsCustomAuthenticator
  • Affected: InstancePrincipalsAuthenticationDetailsProvider
  • Affected: ResourcePrincipalAuthenticationDetailsProvider

It does not happen for other authentication details provider that do not implement said interface, e.g.:

  • Not affected: SimpleAuthenticationDetailsProvider
  • Not affected: ConfigFileAuthenticationDetailsProvider

Workarounds

We believe we have fixed this issue in OCI Java SDK version 1.25.2. If you are using a RefreshableOnNotAuthenticatedProvider (InstancePrincipalsCustomAuthenticator in particular, or generally Instance Principals or Resource Principals, for example) with the OCI HDFS Connector, we urge you to update to version 1.25.2 of the OCI Java SDK by overriding the version of the OCI Java SDK that the OCI HDFS Connector uses.

We apologize for any inconvenience this issue may cause you. We will release an updated version of the OCI HDFS Connector, which uses the fixed version 1.25.2 of the OCI Java SDK, shortly. Please watch this GitHub issue for updates.

@mricken mricken pinned this issue Oct 30, 2020
@y-chandra
Copy link
Member

We have released a new version of the OCI HDFS Connector i.e. 3.2.1.3 (https://github.com/oracle/oci-hdfs-connector/releases/tag/v3.2.1.3) that uses the fixed version 1.25.2 of the OCI Java SDK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants