[
https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yuanbo Liu updated HADOOP-14295:
--------------------------------
Description:
When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy
(Knox) would get an Authorization failure and it hosts would should as
127.0.0.1 even though Knox wasn't in local host to Datanode, error message:
{quote}
"2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter
(AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify
proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
{quote}
We were able to figure out that Datanode have Jetty listening on localhost and
that Netty is used to server request to DataNode, this was a measure to improve
performance because of Netty Async NIO design.
I propose to add a check for x-forwarded-for header since proxys usually inject
that header before we do a getRemoteAddr
was:
Many production environments use firewalls to protect network traffic. In the
specific case of DataNode UI and other Hadoop server for which their ports may
fall on the list of firewalled ports the
org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd
(HttpServletRequest) which may return the firewall host such as 127.0.0.1.
This is unfortunately bad since if you are using a proxy in addition to do
perimeter protection, and you have added your proxy as a super user when
checking for the proxy IP to authorize user this would fail since getRemoteAdd
would return the IP of the firewall (127.0.0.1).
"2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter
(AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify
proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
I propese to add a check for x-forwarded-for header since proxys usually inject
that header before we do a getRemoteAddr
> Authentication proxy filter may fail authorization because of getRemoteAddr
> ---------------------------------------------------------------------------
>
> Key: HADOOP-14295
> URL: https://issues.apache.org/jira/browse/HADOOP-14295
> Project: Hadoop Common
> Issue Type: Bug
> Components: common
> Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Priority: Critical
> Fix For: 3.0.0-alpha2
>
> Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch,
> HADOOP-14295.003.patch
>
>
> When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy
> (Knox) would get an Authorization failure and it hosts would should as
> 127.0.0.1 even though Knox wasn't in local host to Datanode, error message:
> {quote}
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter
> (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify
> proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> {quote}
> We were able to figure out that Datanode have Jetty listening on localhost
> and that Netty is used to server request to DataNode, this was a measure to
> improve performance because of Netty Async NIO design.
> I propose to add a check for x-forwarded-for header since proxys usually
> inject that header before we do a getRemoteAddr
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
