[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Attachment: HADOOP-14295.003.patch check a style error. > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch, > HADOOP-14295.003.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Status: Patch Available (was: In Progress) > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.0.0-alpha2, 2.7.4, 2.8.1 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch, > HADOOP-14295.003.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Status: In Progress (was: Patch Available) adding style fix > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.0.0-alpha2, 2.7.4, 2.8.1 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Release Note: Path has code refactored and testcases Status: Patch Available (was: In Progress) > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.0.0-alpha2, 2.7.4, 2.8.1 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Attachment: HADOOP-14295.002.patch Refactoring and test case contributed by my colleague Yuan Bo Liu. Thanks Yuanbo for helping us determine the origin of the issue. > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Status: In Progress (was: Patch Available) > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.0.0-alpha2, 2.7.4, 2.8.1 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Affects Version/s: 2.8.1 2.7.4 > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Fix Version/s: 3.0.0-alpha2 Status: Patch Available (was: Open) > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.0.0-alpha2 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: -- Attachment: hadoop-14295.001.patch Patch for AuthenticationWithProxyUserFilter.java to use "x-forwarded-server" header (set by Knox proxy server) in case we get 127.0.0.1 when calling request gerRemoteAddr. > Authentication proxy filter on firewall cluster may fail authorization > because of getRemoteAddr > --- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.0.0-alpha2 >Reporter: Jeffrey E Rodriguez >Assignee: Jeffrey E Rodriguez >Priority: Critical > Attachments: hadoop-14295.001.patch > > > Many production environments use firewalls to protect network traffic. In the > specific case of DataNode UI and other Hadoop server for which their ports > may fall on the list of firewalled ports the > org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd > (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do > perimeter protection, and you have added your proxy as a super user when > checking for the proxy IP to authorize user this would fail since > getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter > (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify > proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually > inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org