[
https://issues.apache.org/jira/browse/HADOOP-19904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18084035#comment-18084035
]
ASF GitHub Bot commented on HADOOP-19904:
-----------------------------------------
hadoop-yetus commented on PR #8521:
URL: https://github.com/apache/hadoop/pull/8521#issuecomment-4562212676
:confetti_ball: **+1 overall**
| Vote | Subsystem | Runtime | Logfile | Comment |
|:----:|----------:|--------:|:--------:|:-------:|
| +0 :ok: | reexec | 0m 33s | | Docker mode activated. |
|||| _ Prechecks _ |
| +1 :green_heart: | dupname | 0m 0s | | No case conflicting files
found. |
| +0 :ok: | codespell | 0m 1s | | codespell was not available. |
| +0 :ok: | detsecrets | 0m 1s | | detect-secrets was not available.
|
| +0 :ok: | xmllint | 0m 1s | | xmllint was not available. |
| +1 :green_heart: | @author | 0m 0s | | The patch does not contain
any @author tags. |
| +1 :green_heart: | test4tests | 0m 0s | | The patch appears to
include 2 new or modified test files. |
|||| _ trunk Compile Tests _ |
| +0 :ok: | mvndep | 2m 18s | | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 42m 54s | | trunk passed |
| +1 :green_heart: | compile | 16m 7s | | trunk passed with JDK
Ubuntu-21.0.10+7-Ubuntu-124.04 |
| +1 :green_heart: | compile | 16m 27s | | trunk passed with JDK
Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
| +1 :green_heart: | checkstyle | 5m 31s | | trunk passed |
| +1 :green_heart: | mvnsite | 4m 44s | | trunk passed |
| +1 :green_heart: | javadoc | 3m 50s | | trunk passed with JDK
Ubuntu-21.0.10+7-Ubuntu-124.04 |
| +1 :green_heart: | javadoc | 3m 51s | | trunk passed with JDK
Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
| +1 :green_heart: | spotbugs | 8m 26s | | trunk passed |
| +1 :green_heart: | shadedclient | 31m 56s | | branch has no errors
when building and testing our client artifacts. |
|||| _ Patch Compile Tests _ |
| +0 :ok: | mvndep | 0m 28s | | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 2m 59s | | the patch passed |
| +1 :green_heart: | compile | 15m 26s | | the patch passed with JDK
Ubuntu-21.0.10+7-Ubuntu-124.04 |
| +1 :green_heart: | javac | 15m 26s | | the patch passed |
| +1 :green_heart: | compile | 16m 44s | | the patch passed with JDK
Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
| +1 :green_heart: | javac | 16m 44s | | the patch passed |
| +1 :green_heart: | blanks | 0m 0s | | The patch has no blanks
issues. |
| +1 :green_heart: | checkstyle | 5m 34s | | the patch passed |
| +1 :green_heart: | mvnsite | 4m 48s | | the patch passed |
| +1 :green_heart: | javadoc | 3m 52s | | the patch passed with JDK
Ubuntu-21.0.10+7-Ubuntu-124.04 |
| +1 :green_heart: | javadoc | 3m 52s | | the patch passed with JDK
Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
| +1 :green_heart: | spotbugs | 8m 54s | | the patch passed |
| +1 :green_heart: | shadedclient | 32m 22s | | patch has no errors
when building and testing our client artifacts. |
|||| _ Other Tests _ |
| +1 :green_heart: | unit | 3m 36s | | hadoop-auth in the patch
passed. |
| +1 :green_heart: | unit | 23m 14s | | hadoop-common in the patch
passed. |
| +1 :green_heart: | unit | 218m 51s | | hadoop-hdfs in the patch
passed. |
| +1 :green_heart: | asflicense | 1m 24s | | The patch does not
generate ASF License warnings. |
| | | 481m 27s | | |
| Subsystem | Report/Notes |
|----------:|:-------------|
| Docker | ClientAPI=1.54 ServerAPI=1.54 base:
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8521/1/artifact/out/Dockerfile
|
| GITHUB PR | https://github.com/apache/hadoop/pull/8521 |
| Optional Tests | dupname asflicense compile javac javadoc mvninstall
mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle |
| uname | Linux ecadb1a4477c 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6
13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/bin/hadoop.sh |
| git revision | trunk / 460235035c0765da43cc4fbed42a83ee46c6ebc5 |
| Default Java | Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
| Multi-JDK versions |
/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.10+7-Ubuntu-124.04
/usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
| Test Results |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8521/1/testReport/ |
| Max. process+thread count | 3427 (vs. ulimit of 10000) |
| modules | C: hadoop-common-project/hadoop-auth
hadoop-common-project/hadoop-common hadoop-hdfs-project/hadoop-hdfs U: . |
| Console output |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8521/1/console |
| versions | git=2.43.0 maven=3.9.15 spotbugs=4.9.7 |
| Powered by | Apache Yetus 0.14.1 https://yetus.apache.org |
This message was automatically generated.
> HttpServer2 access log does not record the authenticated user
> -------------------------------------------------------------
>
> Key: HADOOP-19904
> URL: https://issues.apache.org/jira/browse/HADOOP-19904
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: KWON BYUNGCHANG
> Priority: Major
> Labels: pull-request-available
>
> h3. Problem
> HttpServer2's access log always records `-` in the `%u` position even
> for authenticated requests:
> Affects every HttpServer2-backed daemon (NN/DN/RM/NM/HttpFS/KMS).
> h3. Root cause
> `AuthenticationFilter` wraps `HttpServletRequest` so downstream
> filters and servlets see the user via `getRemoteUser()`. The wrap
> only flows through the filter chain. Jetty's `RequestLogHandler`
> runs outside the chain on the base `Request`, whose
> `getAuthentication()` stays as `NOT_CHECKED` forever.
> Jetty's native auth path (`jetty-security` Authenticators) sets
> `Request.setAuthentication(...)` directly, which is why standard
> deployments don't have this issue. Hadoop avoids `jetty-security`
> for container portability and pays this cost.
> h3. Fix
> Add a static helper `JettyAuthenticationHelper.publishRemoteUser(...)`
> in hadoop-auth that:
> 1. Reads the effective user (`getRemoteUser()` or an explicit name),
> 2. Calls `Request.setAuthentication(...)` on the base `Request` with
> a minimal inline `Authentication.User` (no `jetty-security`
> dependency),
> Invocation sites cover the paths where the effective user is decided:
> - `AuthenticationFilter.doFilter(filterChain, request, response)` —
> the protected hook called after wrapping. Subclasses
> (`ProxyUserAuthenticationFilter`, `DelegationTokenAuthenticationFilter`)
> wrap with doAs/UGI and route through `super.doFilter`, so this
> single hook covers them.
> - `DelegationTokenAuthenticationHandler.managementOperation` for
> `GETDELEGATIONTOKEN`/`RENEW`/`CANCEL` — the handler writes the
> response inline and returns false, skipping the filter chain, so
> the helper is called directly there.
> - `JspHelper.getUGI` for HDFS Web UI / WebHDFS servlets that resolve
> UGI outside the filter chain.
> No `HttpServer2` configuration changes required; calls are inline at
> each path. Works for both Kerberos and pseudo-auth (both feed the
> user through `getRemoteUser()` / `requestUgi`).
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
