[
https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16854498#comment-16854498
]
Prabhu Joseph commented on HADOOP-16314:
----------------------------------------
*TEST CASE REPORT*
*Test Cases Parameters:*
******************************
Scenario 1: Secure Cluster + Unsecure Http (Pseudo) +
AuthenticationFilterIntializer + anonymous
Scenario 2: Secure Cluster + Unsecure Http (Pseudo) +
ProxyUserAuthenticationFilterIntializer + anonymous
Scenario 3: Secure Cluster + Unsecure Http (Pseudo) +
AuthenticationFilterIntializer + No anonymous
Scenario 4: Secure Cluster + Unsecure Http (Pseudo) +
ProxyUserAuthenticationFilterIntializer + No anonymous
Scenario 5: Secure Cluster + Secure Http (Kerberos) +
AuthenticationFilterIntializer
Scenario 6: Secure Cluster + Secure Http (Kerberos) +
ProxyUserAuthenticationFilterIntializer
Scenario 7: Secure Cluster + Secure Http (Kerberos) +
AuthenticationFilterIntializer + Delegation
(yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = true)
*Test Cases:*
****************
*1. NameNode:*
********************
UI:
[http://pjosephdocker-1.openstacklocal:50070|http://pjosephdocker-1.openstacklocal:50070/]
JMX: curl -v --negotiate -u : [http://pjosephdocker-1.openstacklocal:50070/jmx]
WebHdfs: curl -sS -L -w '%\{http_code}' -X GET -d '' -H 'Content-Length: 0'
--negotiate -u :
'[http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS'|http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS%27]
*2. ResourceManager:*
****************************
UI1:
[http://pjosephdocker-1.openstacklocal:8088|http://pjosephdocker-1.openstacklocal:8088/]
UI2: [http://pjosephdocker-1.openstacklocal:8088/ui2]
REST API: curl -v --negotiate -u :
[http://pjosephdocker-1.openstacklocal:8088/ws/v1/cluster/apps]
yarn logs -applicationId application_1559557164577_0002
RM REST API for delegation token (Scenario 7)
curl -v --negotiate -u : -d '\{"renewer":"yarn"}' -H "Content-Type:
application/json" -X POST
[http://pjosephdocker-1.openstacklocal:8088/ws/v1/cluster/delegation-token]
kdestroy
curl -i
"[http://pjosephdocker-1.openstacklocal:8088/ws/v1/cluster/apps?delegation=SQoua25veC9wam9zZXBoZG9ja2VyLTEub3BlbnN0YWNrbG9jYWxARE9DS0VSLkNPTRIEeWFybiCC96nxsC0ogv_bkbMtMAw44gMUwvTs8clO39Z-tzHrU8EpjPTdVKkTUk1fREVMRUdBVElPTl9UT0tFTgA]";
yarn daemonlog -setlevel pjosephdocker-1:8088
org.apache.hadoop.security.authentication DEBUG
*3. NodeManager:*
***********************
Rest API: curl -v --negotiate -u :
[http://pjosephdocker-1.openstacklocal:8042/ws/v1/node/info]
TimelineCollectorWebService: curl -v --negotiate -u :
[http://pjosephdocker-1.openstacklocal:34291/ws/v2/timeline/]
*4. ATS2 (TimelineReader):*
*********************************
curl -v --negotiate -u :
[http://pjosephdocker-1.openstacklocal:8198/ws/v2/timeline]
*5. ATS 1.5: (ApplicationHistoryServer):*
*************************************************
UI: [http://pjosephdocker-2.openstacklocal:8188/applicationhistory]
REST API: curl -v --negotiate -u :
[http://pjosephdocker-2.openstacklocal:8188/ws/v1/applicationhistory/apps]
*6. MapReduce HistoryServer*
*************************************
UI: [http://pjosephdocker-2.openstacklocal:19888/jobhistory]
*7. YARN Jobs:*
********************
Spark:
./bin/spark-submit --class org.apache.spark.examples.SparkPi --master
yarn-client --num-executors 1 --driver-memory 512m --executor-memory 512m
--executor-cores 1 examples/jars/spark-examples*.jar 10
Oozie:
[ambari-qa@pjosephdocker-1 spark2]$ oozie job -oozie
[http://pjosephdocker-1.openstacklocal:11000/oozie] -config /tmp/job.properties
-run
job: 0000000-190603094829072-oozie-oozi-W
MapReduce Service Check
Tez Service Check
> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>
> Key: HADOOP-16314
> URL: https://issues.apache.org/jira/browse/HADOOP-16314
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Eric Yang
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16314-001.patch, HADOOP-16314-002.patch,
> HADOOP-16314-003.patch, HADOOP-16314-004.patch, HADOOP-16314-005.patch,
> Hadoop Web Security.xlsx, scan.txt
>
>
> In the enclosed spreadsheet, it shows the list of web applications deployed
> by Hadoop, and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent. Most of entry point
> do not support ?doAs parameter. This creates problem for secure gateway like
> Knox to proxy Hadoop web interface on behave of the end user. When the
> receiving end does not check for ?doAs flag, web interface would be accessed
> using proxy user credential. This can lead to all kind of security holes
> using path traversal to exploit Hadoop.
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to
> solve the web impersonation problem. This task is to track changes required
> in Hadoop code base to apply authentication filter globally for each of the
> web service port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
