hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
Date Wed, 12 Apr 2017 08:58:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15965572#comment-15965572
] 

Wei-Chiu Chuang commented on HADOOP-14295:
------------------------------------------

Thanks for the quick intro. I'm not familiar with Knox but it sounds good to me. I like the
fact that any other proxies could work with this approach.

* could you fix the checkstyle warning?
* As you said this is for accessing DataNode /log via Knox. What happens if I access NameNode
/log locally from NameNode? Would it also print warning "Could not get IP of proxy using x-forwarded-server
header"? What's the impact to other daemons (RM, NM...?)

> Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14295
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14295
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>            Priority: Critical
>             Fix For: 3.0.0-alpha2
>
>         Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch
>
>
> Many production environments use firewalls to protect network traffic. In the specific
case of DataNode UI and other Hadoop server for which their ports may fall on the list of
firewalled ports the org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd
(HttpServletRequest) which may return the firewall host such as 127.0.0.1.
> This is unfortunately bad since if you are using a proxy in addition to do perimeter
protection, and you have added your proxy as a super user when  checking for the proxy IP
to authorize user this would fail since getRemoteAdd would return the IP of the firewall (127.0.0.1).
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94))
- Unable to verify proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> I propese to add a check for x-forwarded-for header since proxys usually inject that
header before we do a getRemoteAddr



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message