[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15978757#comment-15978757 ]
Wei-Chiu Chuang edited comment on HADOOP-14295 at 4/21/17 3:45 PM: ------------------------------------------------------------------- Sorry to come back to this late. I took a step back and though about this in depth. I am not quite familiar with this part of code, but I think it is used by other HDFS daemons (KMS, Httpfs, etc), and it looks like RM http server also reference this class (AuthenticationWithProxyUserFilter). So I think it's not prudent to think it affects just NN and DN. On a separate node, should the class {{AuthenticationWithProxyUserFilter}} be annotated with {{\@InterfaceAudience.Private \@InterfaceStability.Unstable}} just like {{AuthenticationFilter}}? Otherwise downstream applications can use it. Would other jira watcher like to chime in? I still would like to know if there are better alternatives than logging a warning and say it can be a false positive. was (Author: jojochuang): Sorry to come back to this later. I took a step back and though about this in depth. I am not quite familiar with this part of code, but I think it is used by other HDFS daemons (KMS, Httpfs, etc), and it looks like RM http server also reference this class (AuthenticationWithProxyUserFilter). So I think it's not prudent to think it affects just NN and DN. On a separate node, should the class {{AuthenticationWithProxyUserFilter}} be annotated with {{\@InterfaceAudience.Private \@InterfaceStability.Unstable}} just like {{AuthenticationFilter}}? Otherwise downstream applications can use it. Would other jira watcher like to chime in? > Authentication proxy filter may fail authorization because of getRemoteAddr > --------------------------------------------------------------------------- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common > Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1 > Reporter: Jeffrey E Rodriguez > Assignee: Jeffrey E Rodriguez > Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch, > HADOOP-14295.003.patch, HADOOP-14295.004.patch > > > When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy > (Knox) would get an Authorization failure and it hosts would should as > 127.0.0.1 even though Knox wasn't in local host to Datanode, error message: > {quote} > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > {quote} > We were able to figure out that Datanode have Jetty listening on localhost > and that Netty is used to server request to DataNode, this was a measure to > improve performance because of Netty Async NIO design. > I propose to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org