Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
For some links(such as "/jmx, /stack"), blocking the links in filter chain due to impersonation issue is not friendly for users. For example, user "sam" is not allowed to be impersonated by user "knox", and the link "/jmx" doesn't need any user to do authorization by default. It only needs user "knox" to do authentication, in this case, it's not right to block the access in SPNEGO filter. We intend to check impersonation permission when the method "getRemoteUser" of request is used, so that such kind of links("/jmx, /stack") would not be blocked by mistake.
Attachments
Attachments
- HADOOP-14077.001.patch
- 8 kB
- Yuanbo Liu
- HADOOP-14077.002.patch
- 9 kB
- Yuanbo Liu
- HADOOP-14077.003.patch
- 13 kB
- Yuanbo Liu
Issue Links
- is superceded by
-
HADOOP-15222 Refine proxy user authorization to support multiple ACL list
- Open
- relates to
-
HADOOP-14060 HTTP servlet /logs should require authentication and authorization
- Reopened
-
HADOOP-13119 Add ability to secure log servlet using proxy users
- Resolved
Activity
-1 overall |
Vote | Subsystem | Runtime | Comment |
---|---|---|---|
0 | reexec | 17m 52s | Docker mode activated. |
+1 | @author | 0m 0s | The patch does not contain any @author tags. |
+1 | test4tests | 0m 0s | The patch appears to include 1 new or modified test files. |
0 | mvndep | 0m 42s | Maven dependency ordering for branch |
+1 | mvninstall | 12m 31s | trunk passed |
+1 | compile | 13m 5s | trunk passed |
+1 | checkstyle | 1m 31s | trunk passed |
+1 | mvnsite | 1m 58s | trunk passed |
+1 | mvneclipse | 0m 59s | trunk passed |
+1 | findbugs | 2m 53s | trunk passed |
+1 | javadoc | 1m 35s | trunk passed |
0 | mvndep | 0m 16s | Maven dependency ordering for patch |
+1 | mvninstall | 1m 23s | the patch passed |
+1 | compile | 10m 51s | the patch passed |
+1 | javac | 10m 51s | the patch passed |
+1 | checkstyle | 1m 35s | the patch passed |
+1 | mvnsite | 2m 5s | the patch passed |
+1 | mvneclipse | 1m 8s | the patch passed |
+1 | whitespace | 0m 0s | The patch has no whitespace issues. |
-1 | findbugs | 0m 57s | hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0) |
+1 | javadoc | 1m 43s | the patch passed |
-1 | unit | 8m 19s | hadoop-common in the patch failed. |
+1 | unit | 0m 38s | hadoop-yarn-server-common in the patch passed. |
+1 | unit | 9m 9s | hadoop-mapreduce-client-app in the patch passed. |
+1 | asflicense | 0m 38s | The patch does not generate ASF License warnings. |
119m 7s |
Reason | Tests |
---|---|
FindBugs | module:hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common |
Redundant nullcheck of callerUGI, which is known to be non-null in org.apache.hadoop.yarn.server.webapp.AppBlock.render(HtmlBlock$Block) Redundant null check at AppBlock.java:is known to be non-null in org.apache.hadoop.yarn.server.webapp.AppBlock.render(HtmlBlock$Block) Redundant null check at AppBlock.java:[line 235] | |
Failed junit tests | hadoop.security.TestKDiag |
Subsystem | Report/Notes |
---|---|
Docker | Image:yetus/hadoop:a9ad5d6 |
JIRA Issue | |
JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12852285/HADOOP-14077.001.patch |
Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle |
uname | Linux 7efadf6e87cf 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux |
Build tool | maven |
Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh |
git revision | trunk / 839b690 |
Default Java | 1.8.0_121 |
findbugs | v3.0.0 |
findbugs | https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/artifact/patchprocess/new-findbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-common.html |
unit | https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt |
Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/testReport/ |
modules | C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: . |
Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/console |
Powered by | Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org |
This message was automatically generated.
-1 overall |
Vote | Subsystem | Runtime | Comment |
---|---|---|---|
0 | reexec | 0m 15s | Docker mode activated. |
+1 | @author | 0m 0s | The patch does not contain any @author tags. |
+1 | test4tests | 0m 0s | The patch appears to include 1 new or modified test files. |
0 | mvndep | 0m 16s | Maven dependency ordering for branch |
+1 | mvninstall | 12m 25s | trunk passed |
+1 | compile | 13m 3s | trunk passed |
+1 | checkstyle | 1m 31s | trunk passed |
+1 | mvnsite | 1m 57s | trunk passed |
+1 | mvneclipse | 0m 58s | trunk passed |
+1 | findbugs | 2m 51s | trunk passed |
+1 | javadoc | 1m 36s | trunk passed |
0 | mvndep | 0m 16s | Maven dependency ordering for patch |
+1 | mvninstall | 1m 22s | the patch passed |
+1 | compile | 11m 1s | the patch passed |
+1 | javac | 11m 2s | the patch passed |
-0 | checkstyle | 1m 36s | root: The patch generated 1 new + 59 unchanged - 7 fixed = 60 total (was 66) |
+1 | mvnsite | 2m 6s | the patch passed |
+1 | mvneclipse | 1m 7s | the patch passed |
+1 | whitespace | 0m 0s | The patch has no whitespace issues. |
+1 | findbugs | 3m 25s | the patch passed |
+1 | javadoc | 1m 45s | the patch passed |
-1 | unit | 8m 10s | hadoop-common in the patch failed. |
+1 | unit | 0m 39s | hadoop-yarn-server-common in the patch passed. |
+1 | unit | 9m 0s | hadoop-mapreduce-client-app in the patch passed. |
+1 | asflicense | 0m 38s | The patch does not generate ASF License warnings. |
100m 56s |
Reason | Tests |
---|---|
Failed junit tests | hadoop.security.TestRaceWhenRelogin |
hadoop.security.TestKDiag | |
hadoop.net.TestDNS |
Subsystem | Report/Notes |
---|---|
Docker | Image:yetus/hadoop:a9ad5d6 |
JIRA Issue | |
JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12852302/HADOOP-14077.002.patch |
Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle |
uname | Linux 478d8f71a41f 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux |
Build tool | maven |
Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh |
git revision | trunk / 243c0f3 |
Default Java | 1.8.0_121 |
findbugs | v3.0.0 |
checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/artifact/patchprocess/diff-checkstyle-root.txt |
unit | https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt |
Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/testReport/ |
modules | C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: . |
Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/console |
Powered by | Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org |
This message was automatically generated.
eyang Sorry to interrupt, would you mind reviewing patch. Thanks in advance.
Should we be concerned about the test regression?
There are problems with the style check, could you fix the spacing? Thanks
eyang Thanks for your response.
The test failure seem not to be related.
Concerning the check style failure, it says the lines of java method can not exceed 150 lines. So I refactor the method a bit.
Upload v3 patch, please review it
-1 overall |
Vote | Subsystem | Runtime | Comment |
---|---|---|---|
0 | reexec | 0m 15s | Docker mode activated. |
+1 | @author | 0m 0s | The patch does not contain any @author tags. |
+1 | test4tests | 0m 0s | The patch appears to include 1 new or modified test files. |
0 | mvndep | 1m 56s | Maven dependency ordering for branch |
+1 | mvninstall | 12m 23s | trunk passed |
+1 | compile | 12m 24s | trunk passed |
+1 | checkstyle | 1m 50s | trunk passed |
+1 | mvnsite | 1m 57s | trunk passed |
+1 | mvneclipse | 0m 56s | trunk passed |
+1 | findbugs | 3m 4s | trunk passed |
+1 | javadoc | 1m 34s | trunk passed |
0 | mvndep | 0m 17s | Maven dependency ordering for patch |
+1 | mvninstall | 1m 26s | the patch passed |
+1 | compile | 11m 50s | the patch passed |
+1 | javac | 11m 50s | the patch passed |
+1 | checkstyle | 2m 3s | the patch passed |
+1 | mvnsite | 2m 15s | the patch passed |
+1 | mvneclipse | 1m 1s | the patch passed |
+1 | whitespace | 0m 0s | The patch has no whitespace issues. |
+1 | findbugs | 3m 34s | the patch passed |
+1 | javadoc | 1m 46s | the patch passed |
-1 | unit | 8m 23s | hadoop-common in the patch failed. |
+1 | unit | 0m 43s | hadoop-yarn-server-common in the patch passed. |
+1 | unit | 9m 29s | hadoop-mapreduce-client-app in the patch passed. |
+1 | asflicense | 0m 37s | The patch does not generate ASF License warnings. |
104m 9s |
Reason | Tests |
---|---|
Failed junit tests | hadoop.security.TestKDiag |
Subsystem | Report/Notes |
---|---|
Docker | Image:yetus/hadoop:a9ad5d6 |
JIRA Issue | |
JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12852778/HADOOP-14077.003.patch |
Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle |
uname | Linux a32d2fabdbee 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux |
Build tool | maven |
Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh |
git revision | trunk / b7613e0 |
Default Java | 1.8.0_121 |
findbugs | v3.0.0 |
unit | https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt |
Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/testReport/ |
modules | C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: . |
Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/console |
Powered by | Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org |
This message was automatically generated.
The test failure is tracked by HADOOP-14030. So the failure is not related to my patch.
SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11278 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11278/)
HADOOP-14077. Add ability to access jmx via proxy. Contributed by (eyang: rev 172b23af33554b7d58fd41b022d983bcc2433da7)
- (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
- (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java
- (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
- (edit) hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/AppController.java
yuanbo Hadoop Security team has brought to my attention that this feature has potential to weaken security. When user is not authorized in the first proxy user list, the Authorization exception is captured and return null. This allows the second proxy list to be checked if user chain StaticUserWebFilter and another AuthenticationFilterWithProxyUser together per your comment in HADOOP-14060. However, this procedure can trigger replay attack of using ProxyUser credential to fool other services because the end user credential is not authorized to use first proxy user in the first place. Given this reason, I have no choice but revert this commit. Sorry that I missed to spot the problem in the first round of review.
When reverting this change, this may impact managed service, like the cluster system administrator and users are from two companies. You may need to review if your clusters depend on this feature.
This has already been part of a release. Please leave it resolved.
SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #13810 (See https://builds.apache.org/job/Hadoop-trunk-Commit/13810/)
Revert "HADOOP-14077. Add ability to access jmx via proxy. Contributed (wangda: rev 3a8dade9b1bf01cf75fc68cecb351c23302cdee5)
- (edit) hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/AppController.java
- (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java
- (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
- (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
Also fix some inappropriate operation of null point condition in YARN app controller.