Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16095 Support impersonation for AuthenticationFilter
  3. HADOOP-16314

Make sure all end point URL is covered by the same AuthenticationFilter

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.3.0
    • security
    • None

    Description

      In the enclosed spreadsheet, it shows the list of web applications deployed by Hadoop, and filters applied to each entry point.

      Hadoop web protocol impersonation has been inconsistent.  Most of entry point do not support ?doAs parameter.  This creates problem for secure gateway like Knox to proxy Hadoop web interface on behave of the end user.  When the receiving end does not check for ?doAs flag, web interface would be accessed using proxy user credential.  This can lead to all kind of security holes using path traversal to exploit Hadoop. 

      In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to solve the web impersonation problem.  This task is to track changes required in Hadoop code base to apply authentication filter globally for each of the web service port.

      Attachments

        1. HADOOP-16314-007.patch
          43 kB
          Prabhu Joseph
        2. HADOOP-16314-006.patch
          43 kB
          Prabhu Joseph
        3. HADOOP-16314-005.patch
          49 kB
          Prabhu Joseph
        4. HADOOP-16314-004.patch
          43 kB
          Prabhu Joseph
        5. HADOOP-16314-003.patch
          43 kB
          Prabhu Joseph
        6. HADOOP-16314-002.patch
          46 kB
          Prabhu Joseph
        7. HADOOP-16314-001.patch
          45 kB
          Prabhu Joseph
        8. scan.txt
          3 kB
          Eric Yang
        9. Hadoop Web Security.xlsx
          5 kB
          Eric Yang

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HDFS-14845 Ignore AuthenticationFilterInitializer for HttpFSServerWebServer and honor hadoop.http.authentication configs

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-18666 A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-16972 Ignore AuthenticationFilterInitializer for KMSWebServer

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved
          causes

          Sub-task - The sub-task of the issue HADOOP-16356 Distcp with webhdfs is not working with ProxyUserAuthenticationFilter or AuthenticationFilter

          • Major - Major loss of function.
          • Resolved

          Sub-task - The sub-task of the issue HADOOP-16367 ApplicationHistoryServer related testcases failing

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HDFS-15860 Standby Namenode bootstrap fails due to custom authentication handler being run for /imagetransfer endpoint

          • Major - Major loss of function.
          • Open
          is related to

          Sub-task - The sub-task of the issue HADOOP-16354 Enable AuthFilter as default for WebHdfs

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HDFS-14609 RBF: Security should use common AuthenticationFilter

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HDFS-14730 Remove unused configuration dfs.web.authentication.filter

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDFS-15271 Remove obsolete SPNEGO configuration of NN, SNN and JN.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            People

              prabhujoseph Prabhu Joseph
              eyang Eric Yang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: