[HADOOP-16366] Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.0
Fix Version/s: 3.3.0
Component/s: security
Labels:
None

Description

YARNUIV2 fails with "Request is a replay attack" when below settings configured.

hadoop.security.authentication = kerberos
hadoop.http.authentication.type = kerberos
hadoop.http.filter.initializers = org.apache.hadoop.security.AuthenticationFilterInitializer
yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = false

AuthenticationFilter is added twice by the Yarn UI2 Context causing the issue.

2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter Name:authentication, className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter Name:authentication, className=org.apache.hadoop.security.authentication.server.AuthenticationFilter

Another issue with TimelineReaderServer which ignores ProxyUserAuthenticationFilterInitializer when hadoop.http.filter.initializers is configured.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-16366-001.patch
12/Jun/19 14:11
5 kB
Prabhu Joseph
HADOOP-16366-002.patch
12/Jun/19 19:27
3 kB
Prabhu Joseph
HADOOP-16366-003.patch
13/Jun/19 17:10
2 kB
Prabhu Joseph

Activity

People

Assignee:: Prabhu Joseph

Reporter:: Prabhu Joseph

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 12/Jun/19 14:06

Updated:: 23/Oct/19 16:15

Resolved:: 14/Jun/19 16:56