Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0-alpha4
    • security
    • None

    Description

      For some links(such as "/jmx, /stack"), blocking the links in filter chain due to impersonation issue is not friendly for users. For example, user "sam" is not allowed to be impersonated by user "knox", and the link "/jmx" doesn't need any user to do authorization by default. It only needs user "knox" to do authentication, in this case, it's not right to block the access in SPNEGO filter. We intend to check impersonation permission when the method "getRemoteUser" of request is used, so that such kind of links("/jmx, /stack") would not be blocked by mistake.

      Attachments

        1. HADOOP-14077.003.patch
          13 kB
          Yuanbo Liu
        2. HADOOP-14077.002.patch
          9 kB
          Yuanbo Liu
        3. HADOOP-14077.001.patch
          8 kB
          Yuanbo Liu

        Issue Links

          Activity

            yuanbo Yuanbo Liu created issue -
            yuanbo Yuanbo Liu made changes -
            Field Original Value New Value
            Link This issue relates to HADOOP-13119 [ HADOOP-13119 ]
            yuanbo Yuanbo Liu added a comment -

            Also fix some inappropriate operation of null point condition in YARN app controller.

            yuanbo Yuanbo Liu added a comment - Also fix some inappropriate operation of null point condition in YARN app controller.
            yuanbo Yuanbo Liu made changes -
            Attachment HADOOP-14077.001.patch [ 12852285 ]
            yuanbo Yuanbo Liu made changes -
            Status Open [ 1 ] Patch Available [ 10002 ]
            hadoopqa Hadoop QA added a comment -
            -1 overall



            Vote Subsystem Runtime Comment
            0 reexec 17m 52s Docker mode activated.
            +1 @author 0m 0s The patch does not contain any @author tags.
            +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
            0 mvndep 0m 42s Maven dependency ordering for branch
            +1 mvninstall 12m 31s trunk passed
            +1 compile 13m 5s trunk passed
            +1 checkstyle 1m 31s trunk passed
            +1 mvnsite 1m 58s trunk passed
            +1 mvneclipse 0m 59s trunk passed
            +1 findbugs 2m 53s trunk passed
            +1 javadoc 1m 35s trunk passed
            0 mvndep 0m 16s Maven dependency ordering for patch
            +1 mvninstall 1m 23s the patch passed
            +1 compile 10m 51s the patch passed
            +1 javac 10m 51s the patch passed
            +1 checkstyle 1m 35s the patch passed
            +1 mvnsite 2m 5s the patch passed
            +1 mvneclipse 1m 8s the patch passed
            +1 whitespace 0m 0s The patch has no whitespace issues.
            -1 findbugs 0m 57s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
            +1 javadoc 1m 43s the patch passed
            -1 unit 8m 19s hadoop-common in the patch failed.
            +1 unit 0m 38s hadoop-yarn-server-common in the patch passed.
            +1 unit 9m 9s hadoop-mapreduce-client-app in the patch passed.
            +1 asflicense 0m 38s The patch does not generate ASF License warnings.
            119m 7s



            Reason Tests
            FindBugs module:hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common
              Redundant nullcheck of callerUGI, which is known to be non-null in org.apache.hadoop.yarn.server.webapp.AppBlock.render(HtmlBlock$Block) Redundant null check at AppBlock.java:is known to be non-null in org.apache.hadoop.yarn.server.webapp.AppBlock.render(HtmlBlock$Block) Redundant null check at AppBlock.java:[line 235]
            Failed junit tests hadoop.security.TestKDiag



            Subsystem Report/Notes
            Docker Image:yetus/hadoop:a9ad5d6
            JIRA Issue HADOOP-14077
            JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852285/HADOOP-14077.001.patch
            Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
            uname Linux 7efadf6e87cf 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
            Build tool maven
            Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
            git revision trunk / 839b690
            Default Java 1.8.0_121
            findbugs v3.0.0
            findbugs https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/artifact/patchprocess/new-findbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-common.html
            unit https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt
            Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/testReport/
            modules C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: .
            Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/console
            Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

            This message was automatically generated.

            hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 17m 52s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. 0 mvndep 0m 42s Maven dependency ordering for branch +1 mvninstall 12m 31s trunk passed +1 compile 13m 5s trunk passed +1 checkstyle 1m 31s trunk passed +1 mvnsite 1m 58s trunk passed +1 mvneclipse 0m 59s trunk passed +1 findbugs 2m 53s trunk passed +1 javadoc 1m 35s trunk passed 0 mvndep 0m 16s Maven dependency ordering for patch +1 mvninstall 1m 23s the patch passed +1 compile 10m 51s the patch passed +1 javac 10m 51s the patch passed +1 checkstyle 1m 35s the patch passed +1 mvnsite 2m 5s the patch passed +1 mvneclipse 1m 8s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. -1 findbugs 0m 57s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0) +1 javadoc 1m 43s the patch passed -1 unit 8m 19s hadoop-common in the patch failed. +1 unit 0m 38s hadoop-yarn-server-common in the patch passed. +1 unit 9m 9s hadoop-mapreduce-client-app in the patch passed. +1 asflicense 0m 38s The patch does not generate ASF License warnings. 119m 7s Reason Tests FindBugs module:hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common   Redundant nullcheck of callerUGI, which is known to be non-null in org.apache.hadoop.yarn.server.webapp.AppBlock.render(HtmlBlock$Block) Redundant null check at AppBlock.java:is known to be non-null in org.apache.hadoop.yarn.server.webapp.AppBlock.render(HtmlBlock$Block) Redundant null check at AppBlock.java: [line 235] Failed junit tests hadoop.security.TestKDiag Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14077 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852285/HADOOP-14077.001.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 7efadf6e87cf 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 839b690 Default Java 1.8.0_121 findbugs v3.0.0 findbugs https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/artifact/patchprocess/new-findbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-common.html unit https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/testReport/ modules C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: . Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11614/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
            yuanbo Yuanbo Liu added a comment -

            upload v2 patch to address findbugs issue.

            yuanbo Yuanbo Liu added a comment - upload v2 patch to address findbugs issue.
            yuanbo Yuanbo Liu made changes -
            Attachment HADOOP-14077.002.patch [ 12852302 ]
            hadoopqa Hadoop QA added a comment -
            -1 overall



            Vote Subsystem Runtime Comment
            0 reexec 0m 15s Docker mode activated.
            +1 @author 0m 0s The patch does not contain any @author tags.
            +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
            0 mvndep 0m 16s Maven dependency ordering for branch
            +1 mvninstall 12m 25s trunk passed
            +1 compile 13m 3s trunk passed
            +1 checkstyle 1m 31s trunk passed
            +1 mvnsite 1m 57s trunk passed
            +1 mvneclipse 0m 58s trunk passed
            +1 findbugs 2m 51s trunk passed
            +1 javadoc 1m 36s trunk passed
            0 mvndep 0m 16s Maven dependency ordering for patch
            +1 mvninstall 1m 22s the patch passed
            +1 compile 11m 1s the patch passed
            +1 javac 11m 2s the patch passed
            -0 checkstyle 1m 36s root: The patch generated 1 new + 59 unchanged - 7 fixed = 60 total (was 66)
            +1 mvnsite 2m 6s the patch passed
            +1 mvneclipse 1m 7s the patch passed
            +1 whitespace 0m 0s The patch has no whitespace issues.
            +1 findbugs 3m 25s the patch passed
            +1 javadoc 1m 45s the patch passed
            -1 unit 8m 10s hadoop-common in the patch failed.
            +1 unit 0m 39s hadoop-yarn-server-common in the patch passed.
            +1 unit 9m 0s hadoop-mapreduce-client-app in the patch passed.
            +1 asflicense 0m 38s The patch does not generate ASF License warnings.
            100m 56s



            Reason Tests
            Failed junit tests hadoop.security.TestRaceWhenRelogin
              hadoop.security.TestKDiag
              hadoop.net.TestDNS



            Subsystem Report/Notes
            Docker Image:yetus/hadoop:a9ad5d6
            JIRA Issue HADOOP-14077
            JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852302/HADOOP-14077.002.patch
            Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
            uname Linux 478d8f71a41f 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
            Build tool maven
            Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
            git revision trunk / 243c0f3
            Default Java 1.8.0_121
            findbugs v3.0.0
            checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/artifact/patchprocess/diff-checkstyle-root.txt
            unit https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt
            Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/testReport/
            modules C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: .
            Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/console
            Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

            This message was automatically generated.

            hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 15s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. 0 mvndep 0m 16s Maven dependency ordering for branch +1 mvninstall 12m 25s trunk passed +1 compile 13m 3s trunk passed +1 checkstyle 1m 31s trunk passed +1 mvnsite 1m 57s trunk passed +1 mvneclipse 0m 58s trunk passed +1 findbugs 2m 51s trunk passed +1 javadoc 1m 36s trunk passed 0 mvndep 0m 16s Maven dependency ordering for patch +1 mvninstall 1m 22s the patch passed +1 compile 11m 1s the patch passed +1 javac 11m 2s the patch passed -0 checkstyle 1m 36s root: The patch generated 1 new + 59 unchanged - 7 fixed = 60 total (was 66) +1 mvnsite 2m 6s the patch passed +1 mvneclipse 1m 7s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 3m 25s the patch passed +1 javadoc 1m 45s the patch passed -1 unit 8m 10s hadoop-common in the patch failed. +1 unit 0m 39s hadoop-yarn-server-common in the patch passed. +1 unit 9m 0s hadoop-mapreduce-client-app in the patch passed. +1 asflicense 0m 38s The patch does not generate ASF License warnings. 100m 56s Reason Tests Failed junit tests hadoop.security.TestRaceWhenRelogin   hadoop.security.TestKDiag   hadoop.net.TestDNS Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14077 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852302/HADOOP-14077.002.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 478d8f71a41f 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 243c0f3 Default Java 1.8.0_121 findbugs v3.0.0 checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/artifact/patchprocess/diff-checkstyle-root.txt unit https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/testReport/ modules C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: . Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
            yuanbo Yuanbo Liu added a comment -

            eyang Sorry to interrupt, would you mind reviewing patch. Thanks in advance.

            yuanbo Yuanbo Liu added a comment - eyang Sorry to interrupt, would you mind reviewing patch. Thanks in advance.
            eyang Eric Yang added a comment -

            Should we be concerned about the test regression?

            https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/testReport/org.apache.hadoop.net/TestDNS/testNullDnsServer/

            There are problems with the style check, could you fix the spacing? Thanks

            eyang Eric Yang added a comment - Should we be concerned about the test regression? https://builds.apache.org/job/PreCommit-HADOOP-Build/11615/testReport/org.apache.hadoop.net/TestDNS/testNullDnsServer/ There are problems with the style check, could you fix the spacing? Thanks
            yuanbo Yuanbo Liu added a comment -

            eyang Thanks for your response.
            The test failure seem not to be related.
            Concerning the check style failure, it says the lines of java method can not exceed 150 lines. So I refactor the method a bit.
            Upload v3 patch, please review it

            yuanbo Yuanbo Liu added a comment - eyang Thanks for your response. The test failure seem not to be related. Concerning the check style failure, it says the lines of java method can not exceed 150 lines. So I refactor the method a bit. Upload v3 patch, please review it
            yuanbo Yuanbo Liu made changes -
            Attachment HADOOP-14077.003.patch [ 12852778 ]
            hadoopqa Hadoop QA added a comment -
            -1 overall



            Vote Subsystem Runtime Comment
            0 reexec 0m 15s Docker mode activated.
            +1 @author 0m 0s The patch does not contain any @author tags.
            +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
            0 mvndep 1m 56s Maven dependency ordering for branch
            +1 mvninstall 12m 23s trunk passed
            +1 compile 12m 24s trunk passed
            +1 checkstyle 1m 50s trunk passed
            +1 mvnsite 1m 57s trunk passed
            +1 mvneclipse 0m 56s trunk passed
            +1 findbugs 3m 4s trunk passed
            +1 javadoc 1m 34s trunk passed
            0 mvndep 0m 17s Maven dependency ordering for patch
            +1 mvninstall 1m 26s the patch passed
            +1 compile 11m 50s the patch passed
            +1 javac 11m 50s the patch passed
            +1 checkstyle 2m 3s the patch passed
            +1 mvnsite 2m 15s the patch passed
            +1 mvneclipse 1m 1s the patch passed
            +1 whitespace 0m 0s The patch has no whitespace issues.
            +1 findbugs 3m 34s the patch passed
            +1 javadoc 1m 46s the patch passed
            -1 unit 8m 23s hadoop-common in the patch failed.
            +1 unit 0m 43s hadoop-yarn-server-common in the patch passed.
            +1 unit 9m 29s hadoop-mapreduce-client-app in the patch passed.
            +1 asflicense 0m 37s The patch does not generate ASF License warnings.
            104m 9s



            Reason Tests
            Failed junit tests hadoop.security.TestKDiag



            Subsystem Report/Notes
            Docker Image:yetus/hadoop:a9ad5d6
            JIRA Issue HADOOP-14077
            JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852778/HADOOP-14077.003.patch
            Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
            uname Linux a32d2fabdbee 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
            Build tool maven
            Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
            git revision trunk / b7613e0
            Default Java 1.8.0_121
            findbugs v3.0.0
            unit https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt
            Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/testReport/
            modules C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: .
            Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/console
            Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

            This message was automatically generated.

            hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 15s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. 0 mvndep 1m 56s Maven dependency ordering for branch +1 mvninstall 12m 23s trunk passed +1 compile 12m 24s trunk passed +1 checkstyle 1m 50s trunk passed +1 mvnsite 1m 57s trunk passed +1 mvneclipse 0m 56s trunk passed +1 findbugs 3m 4s trunk passed +1 javadoc 1m 34s trunk passed 0 mvndep 0m 17s Maven dependency ordering for patch +1 mvninstall 1m 26s the patch passed +1 compile 11m 50s the patch passed +1 javac 11m 50s the patch passed +1 checkstyle 2m 3s the patch passed +1 mvnsite 2m 15s the patch passed +1 mvneclipse 1m 1s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 3m 34s the patch passed +1 javadoc 1m 46s the patch passed -1 unit 8m 23s hadoop-common in the patch failed. +1 unit 0m 43s hadoop-yarn-server-common in the patch passed. +1 unit 9m 29s hadoop-mapreduce-client-app in the patch passed. +1 asflicense 0m 37s The patch does not generate ASF License warnings. 104m 9s Reason Tests Failed junit tests hadoop.security.TestKDiag Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14077 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852778/HADOOP-14077.003.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux a32d2fabdbee 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / b7613e0 Default Java 1.8.0_121 findbugs v3.0.0 unit https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/testReport/ modules C: hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: . Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11626/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
            yuanbo Yuanbo Liu added a comment -

            The test failure is tracked by HADOOP-14030. So the failure is not related to my patch.

            yuanbo Yuanbo Liu added a comment - The test failure is tracked by HADOOP-14030 . So the failure is not related to my patch.
            eyang Eric Yang made changes -
            Component/s security [ 12312526 ]
            Fix Version/s 3.0.0-alpha3 [ 12339180 ]
            eyang Eric Yang added a comment - - edited

            +1 looks good. I just committed this. Thank you Yuanbo.

            eyang Eric Yang added a comment - - edited +1 looks good. I just committed this. Thank you Yuanbo.
            eyang Eric Yang made changes -
            Resolution Fixed [ 1 ]
            Status Patch Available [ 10002 ] Resolved [ 5 ]
            hudson Hudson added a comment -

            SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11278 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11278/)
            HADOOP-14077. Add ability to access jmx via proxy. Contributed by (eyang: rev 172b23af33554b7d58fd41b022d983bcc2433da7)

            • (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
            • (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java
            • (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
            • (edit) hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/AppController.java
            hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11278 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11278/ ) HADOOP-14077 . Add ability to access jmx via proxy. Contributed by (eyang: rev 172b23af33554b7d58fd41b022d983bcc2433da7) (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java (edit) hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/AppController.java
            yuanbo Yuanbo Liu added a comment -

            eyang Thanks for your review and commit.

            yuanbo Yuanbo Liu added a comment - eyang Thanks for your review and commit.
            kihwal Kihwal Lee made changes -
            Link This issue relates to HADOOP-14060 [ HADOOP-14060 ]
            eyang Eric Yang added a comment -

            yuanbo Hadoop Security team has brought to my attention that this feature has potential to weaken security. When user is not authorized in the first proxy user list, the Authorization exception is captured and return null. This allows the second proxy list to be checked if user chain StaticUserWebFilter and another AuthenticationFilterWithProxyUser together per your comment in HADOOP-14060. However, this procedure can trigger replay attack of using ProxyUser credential to fool other services because the end user credential is not authorized to use first proxy user in the first place. Given this reason, I have no choice but revert this commit. Sorry that I missed to spot the problem in the first round of review.

            When reverting this change, this may impact managed service, like the cluster system administrator and users are from two companies. You may need to review if your clusters depend on this feature.

            eyang Eric Yang added a comment - yuanbo Hadoop Security team has brought to my attention that this feature has potential to weaken security. When user is not authorized in the first proxy user list, the Authorization exception is captured and return null. This allows the second proxy list to be checked if user chain StaticUserWebFilter and another AuthenticationFilterWithProxyUser together per your comment in HADOOP-14060 . However, this procedure can trigger replay attack of using ProxyUser credential to fool other services because the end user credential is not authorized to use first proxy user in the first place. Given this reason, I have no choice but revert this commit. Sorry that I missed to spot the problem in the first round of review. When reverting this change, this may impact managed service, like the cluster system administrator and users are from two companies. You may need to review if your clusters depend on this feature.
            eyang Eric Yang made changes -
            Link This issue is superceded by HADOOP-15222 [ HADOOP-15222 ]
            eyang Eric Yang made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]

            This has already been part of a release. Please leave it resolved.

            cdouglas Christopher Douglas added a comment - This has already been part of a release. Please leave it resolved.
            cdouglas Christopher Douglas made changes -
            Resolution Fixed [ 1 ]
            Status Reopened [ 4 ] Resolved [ 5 ]
            hudson Hudson added a comment -

            SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #13810 (See https://builds.apache.org/job/Hadoop-trunk-Commit/13810/)
            Revert "HADOOP-14077. Add ability to access jmx via proxy. Contributed (wangda: rev 3a8dade9b1bf01cf75fc68cecb351c23302cdee5)

            • (edit) hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/AppController.java
            • (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java
            • (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java
            • (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java
            hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #13810 (See https://builds.apache.org/job/Hadoop-trunk-Commit/13810/ ) Revert " HADOOP-14077 . Add ability to access jmx via proxy. Contributed (wangda: rev 3a8dade9b1bf01cf75fc68cecb351c23302cdee5) (edit) hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/webapp/AppController.java (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpengo.java (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationWithProxyUserFilter.java

            People

              yuanbo Yuanbo Liu
              yuanbo Yuanbo Liu
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: