Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7DD79200C5B for ; Thu, 13 Apr 2017 04:03:51 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7B2AC160BA8; Thu, 13 Apr 2017 02:03:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CB367160B95 for ; Thu, 13 Apr 2017 04:03:50 +0200 (CEST) Received: (qmail 45879 invoked by uid 500); 13 Apr 2017 02:03:49 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 45868 invoked by uid 99); 13 Apr 2017 02:03:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Apr 2017 02:03:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 592FFC144D for ; Thu, 13 Apr 2017 02:03:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id lI7cJuMB8Lox for ; Thu, 13 Apr 2017 02:03:48 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 41B235FAE1 for ; Thu, 13 Apr 2017 02:03:48 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id DAEC9E0069 for ; Thu, 13 Apr 2017 02:03:47 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id F32452408B for ; Thu, 13 Apr 2017 02:03:41 +0000 (UTC) Date: Thu, 13 Apr 2017 02:03:41 +0000 (UTC) From: "Jeffrey E Rodriguez (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 13 Apr 2017 02:03:51 -0000 [ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15967003#comment-15967003 ] Jeffrey E Rodriguez commented on HADOOP-14295: ----------------------------------------------- Thanks for the explanation Yuanbo you are right. > Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr > ----------------------------------------------------------------------------------------------- > > Key: HADOOP-14295 > URL: https://issues.apache.org/jira/browse/HADOOP-14295 > Project: Hadoop Common > Issue Type: Bug > Components: common > Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1 > Reporter: Jeffrey E Rodriguez > Assignee: Jeffrey E Rodriguez > Priority: Critical > Fix For: 3.0.0-alpha2 > > Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch, HADOOP-14295.003.patch > > > Many production environments use firewalls to protect network traffic. In the specific case of DataNode UI and other Hadoop server for which their ports may fall on the list of firewalled ports the org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd (HttpServletRequest) which may return the firewall host such as 127.0.0.1. > This is unfortunately bad since if you are using a proxy in addition to do perimeter protection, and you have added your proxy as a super user when checking for the proxy IP to authorize user this would fail since getRemoteAdd would return the IP of the firewall (127.0.0.1). > "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1" > I propese to add a check for x-forwarded-for header since proxys usually inject that header before we do a getRemoteAddr -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org