Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11704

DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize()

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: None
    • Labels:
      None

      Description

      DelegationTokenAuthenticationHandler and DelegationTokenAuthenticationFilter are using ServletRequest#getRemoteHost which can send an address if possible. It should use getRemoteAddr instead

      1. HADOOP-11704.001.patch
        2 kB
        Anubhav Dhoot
      2. HADOOP-11704.002.patch
        6 kB
        Anubhav Dhoot

        Activity

        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-Mapreduce-trunk #2121 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2121/)
        HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)

        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk #2121 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2121/ ) HADOOP-11704 . DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java hadoop-common-project/hadoop-common/CHANGES.txt hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #172 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/172/)
        HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)

        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #172 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/172/ ) HADOOP-11704 . DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Hadoop-Yarn-trunk #905 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/905/)
        HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)

        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Yarn-trunk #905 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/905/ ) HADOOP-11704 . DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java hadoop-common-project/hadoop-common/CHANGES.txt hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #171 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/171/)
        HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)

        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #171 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/171/ ) HADOOP-11704 . DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-Hdfs-trunk-Java8 #162 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/162/)
        HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)

        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk-Java8 #162 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/162/ ) HADOOP-11704 . DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java hadoop-common-project/hadoop-common/CHANGES.txt hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-Hdfs-trunk #2103 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2103/)
        HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)

        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        • hadoop-common-project/hadoop-common/CHANGES.txt
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk #2103 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2103/ ) HADOOP-11704 . DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java hadoop-common-project/hadoop-common/CHANGES.txt
        Hide
        hudson Hudson added a comment -

        FAILURE: Integrated in Hadoop-trunk-Commit #7625 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7625/)
        HADOOP-11704. DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8)

        • hadoop-common-project/hadoop-common/CHANGES.txt
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java
        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        Show
        hudson Hudson added a comment - FAILURE: Integrated in Hadoop-trunk-Commit #7625 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7625/ ) HADOOP-11704 . DelegationTokenAuthenticationFilter must pass ipaddress instead of hostname to ProxyUsers#authorize (Anubhav Dhoot via asuresh) (Arun Suresh: rev 424a00daa069bf2049014fd46ad152ec5fc77ac8) hadoop-common-project/hadoop-common/CHANGES.txt hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.java hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
        Hide
        asuresh Arun Suresh added a comment -

        Committed to trunk and branch-2

        Show
        asuresh Arun Suresh added a comment - Committed to trunk and branch-2
        Hide
        asuresh Arun Suresh added a comment -

        +1
        Thanks for the fix Anubhav Dhoot
        Will be committing this shortly..

        Show
        asuresh Arun Suresh added a comment - +1 Thanks for the fix Anubhav Dhoot Will be committing this shortly..
        Hide
        hadoopqa Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12726826/HADOOP-11704.002.patch
        against trunk revision d52de61.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/6137//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/6137//console

        This message is automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12726826/HADOOP-11704.002.patch against trunk revision d52de61. +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/6137//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/6137//console This message is automatically generated.
        Hide
        adhoot Anubhav Dhoot added a comment -

        Attaching unit tests to validate fix

        Show
        adhoot Anubhav Dhoot added a comment - Attaching unit tests to validate fix
        Hide
        adhoot Anubhav Dhoot added a comment -

        I think the logic is sound, as it normalize the configured ipaddress/hostname/cidr to ipaddress and then expects ipaddress to be passed in. Otherwise supporting both hostname and ipaddress to be passed in can be challenging. I can add a warning if the input is not an ipaddress to catch existing bugs like this.

        Show
        adhoot Anubhav Dhoot added a comment - I think the logic is sound, as it normalize the configured ipaddress/hostname/cidr to ipaddress and then expects ipaddress to be passed in. Otherwise supporting both hostname and ipaddress to be passed in can be challenging. I can add a warning if the input is not an ipaddress to catch existing bugs like this.
        Hide
        hadoopqa Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12704219/HADOOP-11704.001.patch
        against trunk revision 6dae6d1.

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5928//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5928//console

        This message is automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12704219/HADOOP-11704.001.patch against trunk revision 6dae6d1. +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5928//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5928//console This message is automatically generated.
        Hide
        asuresh Arun Suresh added a comment -

        Aah.. got it.. thanx for the clarification.. Your patch will I guess solve the problem, but you think maybe we should raise a JIRA to fix MachineList too ?

        Show
        asuresh Arun Suresh added a comment - Aah.. got it.. thanx for the clarification.. Your patch will I guess solve the problem, but you think maybe we should raise a JIRA to fix MachineList too ?
        Hide
        adhoot Anubhav Dhoot added a comment -

        Hi Arun Suresh the way MachineList support hostnames is try to convert the passed in ip Address into a hostname and check if its a configured host, and if that fails convert all the configured hostnames into an ip address and check if it matches the passed in ip address. That means you can configure hostnames in the config but the caller still has to pass in an ip address.

        Show
        adhoot Anubhav Dhoot added a comment - Hi Arun Suresh the way MachineList support hostnames is try to convert the passed in ip Address into a hostname and check if its a configured host, and if that fails convert all the configured hostnames into an ip address and check if it matches the passed in ip address. That means you can configure hostnames in the config but the caller still has to pass in an ip address.
        Hide
        asuresh Arun Suresh added a comment -

        Hey Anubhav Dhoot, doesnt MachineList handle both hostname as well as IP addresses ? or am I missing something ?

        Show
        asuresh Arun Suresh added a comment - Hey Anubhav Dhoot , doesnt MachineList handle both hostname as well as IP addresses ? or am I missing something ?

          People

          • Assignee:
            adhoot Anubhav Dhoot
            Reporter:
            adhoot Anubhav Dhoot
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development