subject:"\[jira\] \[Commented\] \(HADOOP\-13119\) Add ability to secure log servlet using proxy users"

[jira] [Commented] (HADOOP-13119) Add ability to secure log servlet using proxy users

2018-03-09 Thread Hudson (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16394076#comment-16394076
 ] 

Hudson commented on HADOOP-13119:
-

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #13810 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/13810/])
Revert "HADOOP-13119. Add ability to secure log servlet using proxy (wangda: 
rev fa6a8b78d481d3b4d355e1bf078f30dd5e09850d)
* (delete) 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
* (delete) 
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
* (delete) 
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationWithProxyUserFilter.java
* (edit) 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
* (edit) 
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java


> Add ability to secure log servlet using proxy users
> ---
>
> Key: HADOOP-13119
> URL: https://issues.apache.org/jira/browse/HADOOP-13119
> Project: Hadoop Common
>  Issue Type: Bug
>Affects Versions: 2.8.0, 2.7.4
>Reporter: Jeffrey E  Rodriguez
>Assignee: Yuanbo Liu
>Priority: Major
>  Labels: security
> Fix For: 2.9.0, 2.7.4, 3.0.0-alpha4, 2.8.2
>
> Attachments: HADOOP-13119.001.patch, HADOOP-13119.002.patch, 
> HADOOP-13119.003.patch, HADOOP-13119.004.patch, HADOOP-13119.005.patch, 
> HADOOP-13119.005.patch, screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to 
> /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by 
> default don't have access to secure paths.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-13119) Add ability to secure log servlet using proxy users

2018-02-12 Thread Eric Yang (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16361794#comment-16361794
 ] 

Eric Yang commented on HADOOP-13119:


[~arpitagarwal] the test case is invalid.  Your curl command does not contain 
--negotiate -u :, and Null user can only happen if HADOOP-14077 is applied.

> Add ability to secure log servlet using proxy users
> ---
>
> Key: HADOOP-13119
> URL: https://issues.apache.org/jira/browse/HADOOP-13119
> Project: Hadoop Common
>  Issue Type: Bug
>Affects Versions: 2.8.0, 2.7.4
>Reporter: Jeffrey E  Rodriguez
>Assignee: Yuanbo Liu
>Priority: Major
>  Labels: security
> Fix For: 2.9.0, 2.7.4, 3.0.0-alpha4, 2.8.2
>
> Attachments: HADOOP-13119.001.patch, HADOOP-13119.002.patch, 
> HADOOP-13119.003.patch, HADOOP-13119.004.patch, HADOOP-13119.005.patch, 
> HADOOP-13119.005.patch, screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to 
> /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by 
> default don't have access to secure paths.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-13119) Add ability to secure log servlet using proxy users

2017-08-25 Thread Arpit Agarwal (JIRA)


[ 
https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16141927#comment-16141927
 ] 

Arpit Agarwal commented on HADOOP-13119:


This change looks incompatible. It breaks doAs for kerberized clusters that 
allow anonymous auth on the RM webserver. It is not a secure setup but I am 
sure it is being used.

Exact exception below (also HADOOP-14728):
{code}
$ curl -ik 'http://w.x.y.z:8088/ws/v1/cluster/appstatistics/?doAs=guest'
HTTP/1.1 500 Null user
Cache-Control: must-revalidate,no-cache,no-store
Date: Fri, 11 Aug 2017 06:45:28 GMT
Pragma: no-cache
Date: Fri, 11 Aug 2017 06:45:28 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Content-Length: 4288
Server: Jetty(6.1.26.hwx)




Error 500 Null user

HTTP ERROR 500
Problem accessing /ws/v1/cluster/appstatistics/. Reason:
Null userCaused 
by:java.lang.IllegalArgumentException: Null user
  at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1409)
  at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1396)
  at 
org.apache.hadoop.security.AuthenticationWithProxyUserFilter$1.getRemoteOrProxyUser(AuthenticationWithProxyUserFilter.java:81)
  at 
org.apache.hadoop.security.AuthenticationWithProxyUserFilter$1.getRemoteUser(AuthenticationWithProxyUserFilter.java:92)
  at 
org.apache.hadoop.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:95)
  at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
  at 
org.apache.hadoop.security.AuthenticationWithProxyUserFilter.doFilter(AuthenticationWithProxyUserFilter.java:101)
  at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:576)
  at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
  at 
org.apache.hadoop.security.http.CrossOriginFilter.doFilter(CrossOriginFilter.java:95)
  at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
  at 
org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1426)
  at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
  at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
  at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
  at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
  at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
  at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
  at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
  at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
  at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
  at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
  at 
org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
  at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
  at org.mortbay.jetty.Server.handle(Server.java:326)
  at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
  at 
org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
  at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
  at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
  at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
  at 
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
  at 
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

Powered by Jetty://


{code}


This worked prior to HADOOP-13119.
{code}
$ curl -ik 'http://w.x.y.z:8088/ws/v1/cluster/appstatistics/?doAs=guest'
HTTP/1.1 200 OK
Cache-Control: no-cache
Expires: Fri, 11 Aug 2017 06:41:24 GMT
Date: Fri, 11 Aug 2017 06:41:24 GMT
Pragma: no-cache
Expires: Fri, 11 Aug 2017 06:41:24 GMT
Date: Fri, 11 Aug 2017 06:41:24 GMT
Pragma: no-cache
Content-Type: application/json
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Server: Jetty(6.1.26.hwx)

{"appStatInfo":{"statItem":[{"state":"ACCEPTED","type":"*","count":0},{"state":"KILLED","type":"*","count":0},{"state":"NEW","type":"*","count":0},{"state":"FAILED","type":"*","count":14},{"state":"SUBMITTED","type":"*","count":0},{"state":"FINISHED","type":"*","count":932},{"state":"NEW_SAVING","type":"*","count":0},{"state":"RUNNING","type":"*","count":0}]}}
{code}


Unfortunately this change was released in 2.7.4 but it should probably be 
reverted it from 2.8.2, 2.7.5 and 2.9.0.

cc [~lmc...@apache.org] and found by [~kpandey].

> Add ability to secure log servlet using proxy users
> ---
>
>

[jira] [Commented] (HADOOP-13119) Add ability to secure log servlet using proxy users

[jira] [Commented] (HADOOP-13119) Add ability to secure log servlet using proxy users

[jira] [Commented] (HADOOP-13119) Add ability to secure log servlet using proxy users

3 matches

Site Navigation

Mail list logo

Footer information