[jira] [Commented] (HADOOP-16366) Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer

Fri, 14 Jun 2019 01:09:29 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16863819#comment-16863819
 ] 

Prabhu Joseph commented on HADOOP-16366:
----------------------------------------

[~eyang] Thanks for reviewing. It looks redundant but verified the logic is 
correct. {{initializers}} variable has list of user configured initializers, 
{{defaultInitializers}} will be the final list of initializers used.

If {{ProxyUserAuthenticationFilterInitializer}} is configured, then ignore both 
{{AuthenticationFilterInitializer}} and 
{{TimelineReaderAuthenticationFilterInitializer}}. Else, 
{{TimelineReaderAuthenticationFilterInitializer}} will be used and ignore 
{{AuthenticationFilterInitializer}}. And by default, 
{{TimelineReaderWhitelistAuthorizationFilterInitializer}} will be used.

> Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-16366
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16366
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16366-001.patch, HADOOP-16366-002.patch, 
> HADOOP-16366-003.patch
>
>
> YARNUIV2 fails with "Request is a replay attack" when below settings 
> configured.
> {code:java}
> hadoop.security.authentication = kerberos
> hadoop.http.authentication.type = kerberos
> hadoop.http.filter.initializers = 
> org.apache.hadoop.security.AuthenticationFilterInitializer
> yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = false{code}
>  AuthenticationFilter is added twice by the Yarn UI2 Context causing the 
> issue.
> {code:java}
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil 
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter 
> Name:authentication, 
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil 
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter 
> Name:authentication, 
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> {code}
>  
> Another issue with {{TimelineReaderServer}} which ignores 
> {{ProxyUserAuthenticationFilterInitializer}} when 
> {{hadoop.http.filter.initializers}} is configured.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to