[jira] [Commented] (HADOOP-14295) Authentication proxy filter may fail authorization because of getRemoteAddr

Sun, 09 Sep 2018 21:30:56 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608712#comment-16608712
 ] 

Hadoop QA commented on HADOOP-14295:
------------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m  
0s{color} | {color:blue} Docker mode activated. {color} |
| {color:red}-1{color} | {color:red} patch {color} | {color:red}  0m  7s{color} 
| {color:red} HADOOP-14295 does not apply to trunk. Rebase required? Wrong 
Branch? See https://wiki.apache.org/hadoop/HowToContribute for help. {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Issue | HADOOP-14295 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12863439/HADOOP-14295.004.patch
 |
| Console output | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/15162/console |
| Powered by | Apache Yetus 0.8.0   http://yetus.apache.org |


This message was automatically generated.



> Authentication proxy filter may fail authorization because of getRemoteAddr
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-14295
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14295
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>            Priority: Critical
>         Attachments: HADOOP-14295.002.patch, HADOOP-14295.003.patch, 
> HADOOP-14295.004.patch, hadoop-14295.001.patch
>
>
> When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy 
> (Knox) would get an Authorization failure and it hosts would should as 
> 127.0.0.1 even though Knox wasn't in local host to Datanode, error message:
> {quote}
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter 
> (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify 
> proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> {quote}
> We were able to figure out that Datanode have Jetty listening on localhost 
> and that Netty is used to server request to DataNode, this was a measure to 
> improve performance because of Netty Async NIO design.
> I propose to add a check for x-forwarded-for header since proxys usually 
> inject that header before we do a getRemoteAddr



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to