Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Done
    • None
    • None
    • None

    Description

      Hadoop node manager REST API is authenticated using AuthenticationFilter from Hadoop-auth project. AuthenticationFilter is added to the new WebSocket URL path spec. The requested remote user is verified to match the container owner to allow WebSocket connection to be established. WebSocket servlet code enforces the username match check.

      Attachments

        Activity

          eyang Eric Yang added a comment -

          Using curl as sanity test with YARN-8763 patch 004, and verified the container shell websocket is protected by AuthenticationFilter:

          curl -i --negotiate -u : -H 'Upgrade: websocket' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version: 13' -H 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==' http://hadoop.example.com:8042/container/v1
          HTTP/1.1 401 Authentication required
          Date: Thu, 04 Oct 2018 21:02:22 GMT
          Date: Thu, 04 Oct 2018 21:02:22 GMT
          Pragma: no-cache
          X-Content-Type-Options: nosniff
          X-XSS-Protection: 1; mode=block
          WWW-Authenticate: Negotiate
          Set-Cookie: hadoop.auth=; Path=/; Domain=example.com; HttpOnly
          Cache-Control: must-revalidate,no-cache,no-store
          Content-Type: text/html;charset=iso-8859-1
          Content-Length: 272
          
          HTTP/1.1 101 Switching Protocols
          Date: Thu, 04 Oct 2018 21:02:22 GMT
          Cache-Control: no-cache
          Expires: Thu, 04 Oct 2018 21:02:22 GMT
          Date: Thu, 04 Oct 2018 21:02:22 GMT
          Pragma: no-cache
          Content-Type: text/plain;charset=utf-8
          X-Content-Type-Options: nosniff
          X-XSS-Protection: 1; mode=block
          WWW-Authenticate: Negotiate YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCP+d4BKPjrGJcC8EEDX5by19u6EetMvscxmkmImFrRFZCT+EdKYbaBIaNn9/Td/fmIW6EOQeXBy6T8UMmAP2588qi
          Set-Cookie: hadoop.auth="u=hbase&p=hbase/hadoop.example.com@EXAMPLE.COM&t=kerberos&e=1538722942268&s=DPKQ5Q58BR7LqZTkw2EyhLNpFN3MggMRJzX49SipyYE="; Path=/; Domain=example.com; HttpOnly
          X-Frame-Options: SAMEORIGIN
          Vary: Accept-Encoding
          Connection: Upgrade
          Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
          Upgrade: WebSocket
          
          eyang Eric Yang added a comment - Using curl as sanity test with YARN-8763 patch 004, and verified the container shell websocket is protected by AuthenticationFilter: curl -i --negotiate -u : -H 'Upgrade: websocket' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version: 13' -H 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==' http: //hadoop.example.com:8042/container/v1 HTTP/1.1 401 Authentication required Date: Thu, 04 Oct 2018 21:02:22 GMT Date: Thu, 04 Oct 2018 21:02:22 GMT Pragma: no-cache X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block WWW-Authenticate: Negotiate Set-Cookie: hadoop.auth=; Path=/; Domain=example.com; HttpOnly Cache-Control: must-revalidate,no-cache,no-store Content-Type: text/html;charset=iso-8859-1 Content-Length: 272 HTTP/1.1 101 Switching Protocols Date: Thu, 04 Oct 2018 21:02:22 GMT Cache-Control: no-cache Expires: Thu, 04 Oct 2018 21:02:22 GMT Date: Thu, 04 Oct 2018 21:02:22 GMT Pragma: no-cache Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block WWW-Authenticate: Negotiate YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCP+d4BKPjrGJcC8EEDX5by19u6EetMvscxmkmImFrRFZCT+EdKYbaBIaNn9/Td/fmIW6EOQeXBy6T8UMmAP2588qi Set-Cookie: hadoop.auth= "u=hbase&p=hbase/hadoop.example.com@EXAMPLE.COM&t=kerberos&e=1538722942268&s=DPKQ5Q58BR7LqZTkw2EyhLNpFN3MggMRJzX49SipyYE=" ; Path=/; Domain=example.com; HttpOnly X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: Upgrade Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk= Upgrade: WebSocket
          eyang Eric Yang added a comment -

          There is no code change required to enable Kerberos authentication with web socket. The test is sufficient to show this is completed.

          eyang Eric Yang added a comment - There is no code change required to enable Kerberos authentication with web socket. The test is sufficient to show this is completed.

          People

            eyang Eric Yang
            Zian Chen Zian Chen
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: