[ https://issues.apache.org/jira/browse/HADOOP-15518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160578#comment-17160578 ]
Prabhu Joseph commented on HADOOP-15518: ---------------------------------------- [~jnp] Have not faced this issue while testing Hadoop Daemons after HADOOP-16314. I think this will happen only if user has configured multiple AuthenticationFilterInitializer. But it is safer to have this fix as AuthenticationFilter is used by many other projects like Ranger, Knox, Oozie and it is difficult to find the reason for "Request is a replay attack" on some systems. As per previous comments from [~sunilg], the patch has to use *getRemoteUser* instead of *getUserPrincipal*. > Authentication filter calling handler after request already authenticated > ------------------------------------------------------------------------- > > Key: HADOOP-15518 > URL: https://issues.apache.org/jira/browse/HADOOP-15518 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.7.1 > Reporter: Kevin Minder > Assignee: Kevin Minder > Priority: Major > Attachments: HADOOP-15518-001.patch, HADOOP-15518.002.patch > > > The hadoop-auth AuthenticationFilter will invoke its handler even if a prior > successful authentication has occurred in the current request. This > primarily affects situations where multiple authentication mechanism has been > configured. For example when core-site.xml's has > hadoop.http.authentication.type=kerberos and yarn-site.xml has > yarn.timeline-service.http-authentication.type=kerberos the result is an > attempt to perform two Kerberos authentications for the same request. This > in turn results in Kerberos triggering a replay attack detection. The > javadocs for AuthenticationHandler > ([https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java)] > indicate for the authenticate method that > {quote}This method is invoked by the AuthenticationFilter only if the HTTP > client request is not yet authenticated. > {quote} > This does not appear to be the case in practice. > I've create a patch and tested on a limited number of functional use cases > (e.g. the timeline-service issue noted above). If there is general agreement > that the change is valid I'll add unit tests to the patch. > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org