[
https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15964158#comment-15964158
]
Wei-Chiu Chuang edited comment on HADOOP-14295 at 4/11/17 11:20 AM:
--------------------------------------------------------------------
Hello [~jeffreyr97] thanks for filing this.
IIUC, AuthenticationWithProxyUserFilter was added in HADOOP-13119, which was
fixed in 2.7.4, 3.0.0-alpha2, 2.8.1, and therefore please update affects
versions and target versions accordingly.
Also, it would be awesome if you could also attach a test case. Thanks!
was (Author: jojochuang):
Hello [~jeffreyr97] thanks for filing this.
IIUC, AuthenticationWithProxyUserFilter was added in HADOOP-13119, which was
fixed in 2.7.4, 3.0.0-alpha2, 2.8.1, and therefore please update affects
versions and target versions accordingly.
> Authentication proxy filter on firewall cluster may fail authorization
> because of getRemoteAddr
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-14295
> URL: https://issues.apache.org/jira/browse/HADOOP-14295
> Project: Hadoop Common
> Issue Type: Bug
> Components: common
> Affects Versions: 3.0.0-alpha2
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Priority: Critical
> Fix For: 3.0.0-alpha2
>
> Attachments: hadoop-14295.001.patch
>
>
> Many production environments use firewalls to protect network traffic. In the
> specific case of DataNode UI and other Hadoop server for which their ports
> may fall on the list of firewalled ports the
> org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd
> (HttpServletRequest) which may return the firewall host such as 127.0.0.1.
> This is unfortunately bad since if you are using a proxy in addition to do
> perimeter protection, and you have added your proxy as a super user when
> checking for the proxy IP to authorize user this would fail since
> getRemoteAdd would return the IP of the firewall (127.0.0.1).
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter
> (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify
> proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> I propese to add a check for x-forwarded-for header since proxys usually
> inject that header before we do a getRemoteAddr
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
