[
https://issues.apache.org/jira/browse/HADOOP-15518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16508318#comment-16508318
]
Eric Yang commented on HADOOP-15518:
------------------------------------
[~sunilg] Multiple AuthenticationFilters configured with different service
principal names is a corner case that shouldn't exist but the code is allowing
this to happen. Comments in this JIRA and YARN-8108 should explain why this is
unsupported use case.
The casting problem is using the same HTTP principal and YARN code is
activating multiple filters that based on AuthenticationFilter. Token casting
issue didn't exist prior to this patch. This patch is making assumption that
filters based on AuthenticationFilter would make compatible tokens, which
RMAuthenticationFilter and AuthenticationFilter don't make the same type of
token. Thus, the casting problem occurs. This problem can be eliminated by
applying same type of AuthenticationFilter on a server port. YARN-8108 can fix
YARN resource manager. There might be other places in Hadoop that might have
similar problems, like KMSAuthenticationFilter and
DelegationTokenAuthenticationFilter that need to be reviewed to understand the
impact of this change.
> Authentication filter calling handler after request already authenticated
> -------------------------------------------------------------------------
>
> Key: HADOOP-15518
> URL: https://issues.apache.org/jira/browse/HADOOP-15518
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.1
> Reporter: Kevin Minder
> Assignee: Kevin Minder
> Priority: Major
> Attachments: HADOOP-15518-001.patch
>
>
> The hadoop-auth AuthenticationFilter will invoke its handler even if a prior
> successful authentication has occurred in the current request. This
> primarily affects situations where multiple authentication mechanism has been
> configured. For example when core-site.xml's has
> hadoop.http.authentication.type=kerberos and yarn-site.xml has
> yarn.timeline-service.http-authentication.type=kerberos the result is an
> attempt to perform two Kerberos authentications for the same request. This
> in turn results in Kerberos triggering a replay attack detection. The
> javadocs for AuthenticationHandler
> ([https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java)]
> indicate for the authenticate method that
> {quote}This method is invoked by the AuthenticationFilter only if the HTTP
> client request is not yet authenticated.
> {quote}
> This does not appear to be the case in practice.
> I've create a patch and tested on a limited number of functional use cases
> (e.g. the timeline-service issue noted above). If there is general agreement
> that the change is valid I'll add unit tests to the patch.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
