[
https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16855152#comment-16855152
]
Eric Yang commented on HADOOP-16314:
------------------------------------
[~Prabhu Joseph] If I am reading patch 5 code correctly, this will ignore both
AuthenticationFilter, and also ProxyUserAuthenticationFilter. Is there another
code path that is used to ensure ApplicationHistoryServer is protected?
{code}
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
index 4e3a1e6..11f1b07 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
@@ -28,8 +28,10 @@
import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.metrics2.source.JvmMetrics;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.HttpCrossOriginFilterInitializer;
import org.apache.hadoop.security.SecurityUtil;
+import
org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer;
import org.apache.hadoop.service.CompositeService;
import org.apache.hadoop.service.Service;
import org.apache.hadoop.util.ExitUtil;
@@ -261,8 +263,15 @@ private void startWebApp() {
}
TimelineServerUtils.addTimelineAuthFilter(
initializers, defaultInitializers, secretManagerService);
+
+ Set<String> ignoreInitializers = new LinkedHashSet<String>();
+ ignoreInitializers.add(AuthenticationFilterInitializer.class.getName());
+ ignoreInitializers.add(
+ ProxyUserAuthenticationFilterInitializer.class.getName());
+
TimelineServerUtils.setTimelineFilters(
- conf, initializers, defaultInitializers);
+ conf, initializers, defaultInitializers, ignoreInitializers);
+
String bindAddress = WebAppUtils.getWebAppBindURL(conf,
YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
WebAppUtils.getAHSWebAppURLWithoutScheme(conf));
{code}
Is there any way to make the initialization code more straight forward?
> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>
> Key: HADOOP-16314
> URL: https://issues.apache.org/jira/browse/HADOOP-16314
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Eric Yang
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16314-001.patch, HADOOP-16314-002.patch,
> HADOOP-16314-003.patch, HADOOP-16314-004.patch, HADOOP-16314-005.patch,
> Hadoop Web Security.xlsx, scan.txt
>
>
> In the enclosed spreadsheet, it shows the list of web applications deployed
> by Hadoop, and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent. Most of entry point
> do not support ?doAs parameter. This creates problem for secure gateway like
> Knox to proxy Hadoop web interface on behave of the end user. When the
> receiving end does not check for ?doAs flag, web interface would be accessed
> using proxy user credential. This can lead to all kind of security holes
> using path traversal to exploit Hadoop.
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to
> solve the web impersonation problem. This task is to track changes required
> in Hadoop code base to apply authentication filter globally for each of the
> web service port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
