hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuanbo Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
Date Thu, 13 Apr 2017 01:40:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15966980#comment-15966980

Yuanbo Liu commented on HADOOP-14295:

[~jojochuang] Thanks for your review.
could you fix the checkstyle warning
Sure, I could do that.
As you said this is for accessing...
If we use a proxy server(Knox) to access Namenode log locally, it doesn't print the warning
log. If we access Namenode log directly, then we should attach "x-forwarded-server", otherwise
the warning log is unavoidable. It doesn't have impact on RM/NM because they don't use {{AuthenticationWithProxyUserFilter.java}}
when they construct the filter chains.
But I think the warning log is harmless, right? After all, it will ignore "x-forwarded-server"
and fallback to getRemoteAddr if the value is empty.

> Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
> -----------------------------------------------------------------------------------------------
>                 Key: HADOOP-14295
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14295
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>            Priority: Critical
>             Fix For: 3.0.0-alpha2
>         Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch
> Many production environments use firewalls to protect network traffic. In the specific
case of DataNode UI and other Hadoop server for which their ports may fall on the list of
firewalled ports the org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd
(HttpServletRequest) which may return the firewall host such as
> This is unfortunately bad since if you are using a proxy in addition to do perimeter
protection, and you have added your proxy as a super user when  checking for the proxy IP
to authorize user this would fail since getRemoteAdd would return the IP of the firewall (
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94))
- Unable to verify proxy user: Unauthorized connection for super-user: knox from IP"
> I propese to add a check for x-forwarded-for header since proxys usually inject that
header before we do a getRemoteAddr

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message