[
https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15966980#comment-15966980
]
Yuanbo Liu commented on HADOOP-14295:
-------------------------------------
[~jojochuang] Thanks for your review.
{quote}
could you fix the checkstyle warning
{quote}
Sure, I could do that.
{quote}
As you said this is for accessing...
{quote}
If we use a proxy server(Knox) to access Namenode log locally, it doesn't print
the warning log. If we access Namenode log directly, then we should attach
"x-forwarded-server", otherwise the warning log is unavoidable. It doesn't have
impact on RM/NM because they don't use
{{AuthenticationWithProxyUserFilter.java}} when they construct the filter
chains.
But I think the warning log is harmless, right? After all, it will ignore
"x-forwarded-server" and fallback to getRemoteAddr if the value is empty.
> Authentication proxy filter on firewall cluster may fail authorization
> because of getRemoteAddr
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-14295
> URL: https://issues.apache.org/jira/browse/HADOOP-14295
> Project: Hadoop Common
> Issue Type: Bug
> Components: common
> Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Priority: Critical
> Fix For: 3.0.0-alpha2
>
> Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch
>
>
> Many production environments use firewalls to protect network traffic. In the
> specific case of DataNode UI and other Hadoop server for which their ports
> may fall on the list of firewalled ports the
> org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd
> (HttpServletRequest) which may return the firewall host such as 127.0.0.1.
> This is unfortunately bad since if you are using a proxy in addition to do
> perimeter protection, and you have added your proxy as a super user when
> checking for the proxy IP to authorize user this would fail since
> getRemoteAdd would return the IP of the firewall (127.0.0.1).
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter
> (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify
> proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> I propese to add a check for x-forwarded-for header since proxys usually
> inject that header before we do a getRemoteAddr
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
