Jeffrey E Rodriguez created HADOOP-14295:
---------------------------------------------
Summary: Authentication proxy filter on firewall cluster may fail
authorization because of getRemoteAddr
Key: HADOOP-14295
URL: https://issues.apache.org/jira/browse/HADOOP-14295
Project: Hadoop Common
Issue Type: Bug
Components: common
Affects Versions: 3.0.0-alpha2
Reporter: Jeffrey E Rodriguez
Assignee: Jeffrey E Rodriguez
Priority: Critical
Many production environments use firewalls to protect network traffic. In the
specific case of DataNode UI and other Hadoop server for which their ports may
fall on the list of firewalled ports the
org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd
(HttpServletRequest) which may return the firewall host such as 127.0.0.1.
This is unfortunately bad since if you are using a proxy in addition to do
perimeter protection, and you have added your proxy as a super user when
checking for the proxy IP to authorize user this would fail since getRemoteAdd
would return the IP of the firewall (127.0.0.1).
"2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter
(AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify
proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
I propese to add a check for x-forwarded-for header since proxys usually inject
that header before we do a getRemoteAddr
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
