Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
2.7.4, 3.0.0-alpha2, 2.8.1
-
None
-
None
-
Path has code refactored and testcases
Description
When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy (Knox) would get an Authorization failure and it hosts would should as 127.0.0.1 even though Knox wasn't in local host to Datanode, error message:
"2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
We were able to figure out that Datanode have Jetty listening on localhost and that Netty is used to server request to DataNode, this was a measure to improve performance because of Netty Async NIO design.
I propose to add a check for x-forwarded-for header since proxys usually inject that header before we do a getRemoteAddr