Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 787D6200C61 for ; Tue, 11 Apr 2017 02:34:49 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 76FFB160BA5; Tue, 11 Apr 2017 00:34:49 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id BFC2A160B99 for ; Tue, 11 Apr 2017 02:34:48 +0200 (CEST) Received: (qmail 42137 invoked by uid 500); 11 Apr 2017 00:34:47 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 42126 invoked by uid 99); 11 Apr 2017 00:34:47 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Apr 2017 00:34:47 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 5C6BD18F4CD for ; Tue, 11 Apr 2017 00:34:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id MHnKCO21X9HJ for ; Tue, 11 Apr 2017 00:34:43 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id A2ECB5FC7C for ; Tue, 11 Apr 2017 00:34:43 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 13708E0D3C for ; Tue, 11 Apr 2017 00:34:43 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 05E8D24066 for ; Tue, 11 Apr 2017 00:34:42 +0000 (UTC) Date: Tue, 11 Apr 2017 00:34:42 +0000 (UTC) From: "Jeffrey E Rodriguez (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 11 Apr 2017 00:34:49 -0000 [ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeffrey E Rodriguez updated HADOOP-14295: ------------------------------------------ Fix Version/s: 3.0.0-alpha2 Status: Patch Available (was: Open) > Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr > ----------------------------------------------------------------------------------------------- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common > Affects Versions: 3.0.0-alpha2 > Reporter: Jeffrey E Rodriguez > Assignee: Jeffrey E Rodriguez > Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch > > > Many production environments use firewalls to protect network traffic. In the specific case of DataNode UI and other Hadoop server for which their ports may fall on the list of firewalled ports the org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do perimeter protection, and you have added your proxy as a super user when checking for the proxy IP to authorize user this would fail since getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org