[ https://issues.apache.org/jira/browse/HADOOP-16366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16862722#comment-16862722 ]
Prabhu Joseph commented on HADOOP-16366: ---------------------------------------- [~eyang] Thanks for checking this. There are two separate {{FilterHolder}} created with same name "authentication" one for SPNEGO_FILTER ({{AuthenticationFilter}}) and another at {{AuthenticationFilterInitializer}} ({{AuthenticationFilter}}). Both gets initialized for the {{WebAppContext}} irrespective of their names (same or different). The overlap happens based on their {{FilterMapping#pathSpecs}}. Currently there is no overlap as SPNEGO_FILTER has Null pathSpec which will never be called while handling request ({{CachedChain.doFilter}}). The overlap will happen when both has same pathSpec (example /*). Below combinations will overlap as their pathSpecs overlap. {code:java} 1.FilterHolder name Filter FilterMapping#PathSpec authentication AuthenticationFilter /* authentication AuthenticationFilter /* 2.FilterHolder name Filter FilterMapping#PathSpec SpnegoFilter AuthenticationFilter /* authentication AuthenticationFilter /* {code} Below combinations won't overlap as their pathSpecs don't. {code:java} 1.FilterHolder name Filter FilterMapping#PathSpec authentication AuthenticationFilter Null authentication AuthenticationFilter /* 2.FilterHolder name Filter FilterMapping#PathSpec SpnegoFilter AuthenticationFilter Null authentication AuthenticationFilter /* {code} But one reason where it is better to have different names in case if we have a need to map the {{FilterHolder#getName()}} with its corresponding {{FilterMapping#getFilterName}}. With same names for both {{FilterHolder}}, we will end up with two mappings Null and /* for both {{FilterHolder}}. > Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer > ------------------------------------------------------------------------- > > Key: HADOOP-16366 > URL: https://issues.apache.org/jira/browse/HADOOP-16366 > Project: Hadoop Common > Issue Type: Sub-task > Components: security > Affects Versions: 3.3.0 > Reporter: Prabhu Joseph > Assignee: Prabhu Joseph > Priority: Major > Attachments: HADOOP-16366-001.patch, HADOOP-16366-002.patch > > > YARNUIV2 fails with "Request is a replay attack" when below settings > configured. > {code:java} > hadoop.security.authentication = kerberos > hadoop.http.authentication.type = kerberos > hadoop.http.filter.initializers = > org.apache.hadoop.security.AuthenticationFilterInitializer > yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = false{code} > AuthenticationFilter is added twice by the Yarn UI2 Context causing the > issue. > {code:java} > 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil > (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter > Name:authentication, > className=org.apache.hadoop.security.authentication.server.AuthenticationFilter > 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil > (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter > Name:authentication, > className=org.apache.hadoop.security.authentication.server.AuthenticationFilter > {code} > > Another issue with {{TimelineReaderServer}} which ignores > {{ProxyUserAuthenticationFilterInitializer}} when > {{hadoop.http.filter.initializers}} is configured. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org