[
https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15978757#comment-15978757
]
Wei-Chiu Chuang edited comment on HADOOP-14295 at 4/21/17 3:45 PM:
-------------------------------------------------------------------
Sorry to come back to this late.
I took a step back and though about this in depth. I am not quite familiar with
this part of code, but I think it is used by other HDFS daemons (KMS, Httpfs,
etc), and it looks like RM http server also reference this class
(AuthenticationWithProxyUserFilter). So I think it's not prudent to think it
affects just NN and DN.
On a separate node, should the class {{AuthenticationWithProxyUserFilter}} be
annotated with {{\@InterfaceAudience.Private
\@InterfaceStability.Unstable}} just like {{AuthenticationFilter}}? Otherwise
downstream applications can use it.
Would other jira watcher like to chime in? I still would like to know if there
are better alternatives than logging a warning and say it can be a false
positive.
was (Author: jojochuang):
Sorry to come back to this later.
I took a step back and though about this in depth. I am not quite familiar with
this part of code, but I think it is used by other HDFS daemons (KMS, Httpfs,
etc), and it looks like RM http server also reference this class
(AuthenticationWithProxyUserFilter). So I think it's not prudent to think it
affects just NN and DN.
On a separate node, should the class {{AuthenticationWithProxyUserFilter}} be
annotated with {{\@InterfaceAudience.Private
\@InterfaceStability.Unstable}} just like {{AuthenticationFilter}}? Otherwise
downstream applications can use it.
Would other jira watcher like to chime in?
> Authentication proxy filter may fail authorization because of getRemoteAddr
> ---------------------------------------------------------------------------
>
> Key: HADOOP-14295
> URL: https://issues.apache.org/jira/browse/HADOOP-14295
> Project: Hadoop Common
> Issue Type: Bug
> Components: common
> Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Priority: Critical
> Fix For: 3.0.0-alpha2
>
> Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch,
> HADOOP-14295.003.patch, HADOOP-14295.004.patch
>
>
> When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy
> (Knox) would get an Authorization failure and it hosts would should as
> 127.0.0.1 even though Knox wasn't in local host to Datanode, error message:
> {quote}
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter
> (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify
> proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> {quote}
> We were able to figure out that Datanode have Jetty listening on localhost
> and that Netty is used to server request to DataNode, this was a measure to
> improve performance because of Netty Async NIO design.
> I propose to add a check for x-forwarded-for header since proxys usually
> inject that header before we do a getRemoteAddr
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
