Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16095 Support impersonation for AuthenticationFilter
  3. HADOOP-16366

Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.3.0
    • 3.3.0
    • security
    • None

    Description

      YARNUIV2 fails with "Request is a replay attack" when below settings configured.

      hadoop.security.authentication = kerberos
      hadoop.http.authentication.type = kerberos
      hadoop.http.filter.initializers = org.apache.hadoop.security.AuthenticationFilterInitializer
      yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = false

       AuthenticationFilter is added twice by the Yarn UI2 Context causing the issue.

      2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter Name:authentication, className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
      2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter Name:authentication, className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
      

       

      Another issue with TimelineReaderServer which ignores ProxyUserAuthenticationFilterInitializer when hadoop.http.filter.initializers is configured.

      Attachments

        1. HADOOP-16366-001.patch
          5 kB
          Prabhu Joseph
        2. HADOOP-16366-002.patch
          3 kB
          Prabhu Joseph
        3. HADOOP-16366-003.patch
          2 kB
          Prabhu Joseph

        Activity

          People

            prabhujoseph Prabhu Joseph
            prabhujoseph Prabhu Joseph
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: