Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 2.8.0, 3.0.0-alpha1
-
Component/s: None
-
Labels:None
Description
DelegationTokenAuthenticationHandler and DelegationTokenAuthenticationFilter are using ServletRequest#getRemoteHost which can send an address if possible. It should use getRemoteAddr instead
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #172 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/172/)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
- hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
- hadoop-common-project/hadoop-common/CHANGES.txt
SUCCESS: Integrated in Hadoop-Yarn-trunk #905 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/905/)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)
- hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
- hadoop-common-project/hadoop-common/CHANGES.txt
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #171 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/171/)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)
- hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
- hadoop-common-project/hadoop-common/CHANGES.txt
FAILURE: Integrated in Hadoop-Hdfs-trunk-Java8 #162 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/162/)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)
- hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
- hadoop-common-project/hadoop-common/CHANGES.txt
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
FAILURE: Integrated in Hadoop-Hdfs-trunk #2103 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2103/)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
- hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
- hadoop-common-project/hadoop-common/CHANGES.txt
FAILURE: Integrated in Hadoop-trunk-Commit #7625 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7625/)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)
- hadoop-common-project/hadoop-common/CHANGES.txt
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
- hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
Committed to trunk and branch-2
+1
Thanks for the fix Anubhav Dhoot
Will be committing this shortly..
+1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12726826/HADOOP-11704.002.patch
against trunk revision d52de61.
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 1 new or modified test files.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 javadoc. There were no new javadoc warning messages.
+1 eclipse:eclipse. The patch built with eclipse:eclipse.
+1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/6137//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/6137//console
This message is automatically generated.
Attaching unit tests to validate fix
I think the logic is sound, as it normalize the configured ipaddress/hostname/cidr to ipaddress and then expects ipaddress to be passed in. Otherwise supporting both hostname and ipaddress to be passed in can be challenging. I can add a warning if the input is not an ipaddress to catch existing bugs like this.
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12704219/HADOOP-11704.001.patch
against trunk revision 6dae6d1.
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 javadoc. There were no new javadoc warning messages.
+1 eclipse:eclipse. The patch built with eclipse:eclipse.
+1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5928//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5928//console
This message is automatically generated.
Aah.. got it.. thanx for the clarification.. Your patch will I guess solve the problem, but you think maybe we should raise a JIRA to fix MachineList too ?
Hi Arun Suresh the way MachineList support hostnames is try to convert the passed in ip Address into a hostname and check if its a configured host, and if that fails convert all the configured hostnames into an ip address and check if it matches the passed in ip address. That means you can configure hostnames in the config but the caller still has to pass in an ip address.
Hey Anubhav Dhoot, doesnt MachineList handle both hostname as well as IP addresses ? or am I missing something ?
FAILURE: Integrated in Hadoop-Mapreduce-trunk #2121 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2121/)
HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)