[
https://issues.apache.org/jira/browse/HADOOP-16366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16862722#comment-16862722
]
Prabhu Joseph commented on HADOOP-16366:
----------------------------------------
[~eyang] Thanks for checking this. There are two separate {{FilterHolder}}
created with same name "authentication" one for SPNEGO_FILTER
({{AuthenticationFilter}}) and another at {{AuthenticationFilterInitializer}}
({{AuthenticationFilter}}). Both gets initialized for the {{WebAppContext}}
irrespective of their names (same or different). The overlap happens based on
their {{FilterMapping#pathSpecs}}. Currently there is no overlap as
SPNEGO_FILTER has Null pathSpec which will never be called while handling
request ({{CachedChain.doFilter}}). The overlap will happen when both has same
pathSpec (example /*).
Below combinations will overlap as their pathSpecs overlap.
{code:java}
1.FilterHolder name Filter FilterMapping#PathSpec
authentication AuthenticationFilter /*
authentication AuthenticationFilter /*
2.FilterHolder name Filter FilterMapping#PathSpec
SpnegoFilter AuthenticationFilter /*
authentication AuthenticationFilter /*
{code}
Below combinations won't overlap as their pathSpecs don't.
{code:java}
1.FilterHolder name Filter FilterMapping#PathSpec
authentication AuthenticationFilter Null
authentication AuthenticationFilter /*
2.FilterHolder name Filter FilterMapping#PathSpec
SpnegoFilter AuthenticationFilter Null
authentication AuthenticationFilter /*
{code}
But one reason where it is better to have different names in case if we have a
need to map the {{FilterHolder#getName()}}
with its corresponding {{FilterMapping#getFilterName}}. With same names for
both {{FilterHolder}}, we will end up with two mappings Null and /* for both
{{FilterHolder}}.
> Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer
> -------------------------------------------------------------------------
>
> Key: HADOOP-16366
> URL: https://issues.apache.org/jira/browse/HADOOP-16366
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.3.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16366-001.patch, HADOOP-16366-002.patch
>
>
> YARNUIV2 fails with "Request is a replay attack" when below settings
> configured.
> {code:java}
> hadoop.security.authentication = kerberos
> hadoop.http.authentication.type = kerberos
> hadoop.http.filter.initializers =
> org.apache.hadoop.security.AuthenticationFilterInitializer
> yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = false{code}
> AuthenticationFilter is added twice by the Yarn UI2 Context causing the
> issue.
> {code:java}
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter
> Name:authentication,
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter
> Name:authentication,
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> {code}
>
> Another issue with {{TimelineReaderServer}} which ignores
> {{ProxyUserAuthenticationFilterInitializer}} when
> {{hadoop.http.filter.initializers}} is configured.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
