[HADOOP-14295] Authentication proxy filter may fail authorization because of getRemoteAddr - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Critical
Resolution: Unresolved
Affects Version/s: 2.7.4, 3.0.0-alpha2, 2.8.1
Fix Version/s: None
Component/s: common
Labels:
None

Release Note:
Path has code refactored and testcases

Description

When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy (Knox) would get an Authorization failure and it hosts would should as 127.0.0.1 even though Knox wasn't in local host to Datanode, error message:

"2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"

We were able to figure out that Datanode have Jetty listening on localhost and that Netty is used to server request to DataNode, this was a measure to improve performance because of Netty Async NIO design.

I propose to add a check for x-forwarded-for header since proxys usually inject that header before we do a getRemoteAddr

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

hadoop-14295.001.patch
11/Apr/17 00:18
2 kB
Jeffrey E Rodriguez
HADOOP-14295.002.patch
12/Apr/17 07:33
5 kB
Jeffrey E Rodriguez
HADOOP-14295.003.patch
13/Apr/17 02:01
6 kB
Jeffrey E Rodriguez
HADOOP-14295.004.patch
14/Apr/17 08:41
5 kB
Yuanbo Liu

Activity

People

Assignee:: Jeffrey E Rodriguez

Reporter:: Jeffrey E Rodriguez

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 08/Apr/17 14:24

Updated:: 02/Oct/19 17:15