[
https://issues.apache.org/jira/browse/YARN-8790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639039#comment-16639039
]
Eric Yang commented on YARN-8790:
---------------------------------
Using curl as sanity test with YARN-8763 patch 004, and verified the container
shell websocket is protected by AuthenticationFilter:
{code}
curl -i --negotiate -u : -H 'Upgrade: websocket' -H 'Connection: Upgrade' -H
'Sec-WebSocket-Version: 13' -H 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw=='
http://hadoop.example.com:8042/container/v1
HTTP/1.1 401 Authentication required
Date: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Domain=example.com; HttpOnly
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 272
HTTP/1.1 101 Switching Protocols
Date: Thu, 04 Oct 2018 21:02:22 GMT
Cache-Control: no-cache
Expires: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
Content-Type: text/plain;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate
YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCP+d4BKPjrGJcC8EEDX5by19u6EetMvscxmkmImFrRFZCT+EdKYbaBIaNn9/Td/fmIW6EOQeXBy6T8UMmAP2588qi
Set-Cookie:
hadoop.auth="u=hbase&p=hbase/[email protected]&t=kerberos&e=1538722942268&s=DPKQ5Q58BR7LqZTkw2EyhLNpFN3MggMRJzX49SipyYE=";
Path=/; Domain=example.com; HttpOnly
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Upgrade: WebSocket
{code}
> Authentication Filter change to force security check
> -----------------------------------------------------
>
> Key: YARN-8790
> URL: https://issues.apache.org/jira/browse/YARN-8790
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Zian Chen
> Priority: Major
> Labels: Docker
>
> Hadoop node manager REST API is authenticated using AuthenticationFilter from
> Hadoop-auth project. AuthenticationFilter is added to the new WebSocket URL
> path spec. The requested remote user is verified to match the container owner
> to allow WebSocket connection to be established. WebSocket servlet code
> enforces the username match check.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
