hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8790) Authentication Filter change to force security check
Date Thu, 04 Oct 2018 23:33:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639039#comment-16639039
] 

Eric Yang commented on YARN-8790:
---------------------------------

Using curl as sanity test with YARN-8763 patch 004, and verified the container shell websocket
is protected by AuthenticationFilter:

{code}
curl -i --negotiate -u : -H 'Upgrade: websocket' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version:
13' -H 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==' http://hadoop.example.com:8042/container/v1
HTTP/1.1 401 Authentication required
Date: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Domain=example.com; HttpOnly
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 272

HTTP/1.1 101 Switching Protocols
Date: Thu, 04 Oct 2018 21:02:22 GMT
Cache-Control: no-cache
Expires: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
Content-Type: text/plain;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCP+d4BKPjrGJcC8EEDX5by19u6EetMvscxmkmImFrRFZCT+EdKYbaBIaNn9/Td/fmIW6EOQeXBy6T8UMmAP2588qi
Set-Cookie: hadoop.auth="u=hbase&p=hbase/hadoop.example.com@EXAMPLE.COM&t=kerberos&e=1538722942268&s=DPKQ5Q58BR7LqZTkw2EyhLNpFN3MggMRJzX49SipyYE=";
Path=/; Domain=example.com; HttpOnly
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Upgrade: WebSocket
{code}

> Authentication Filter change to force security check 
> -----------------------------------------------------
>
>                 Key: YARN-8790
>                 URL: https://issues.apache.org/jira/browse/YARN-8790
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zian Chen
>            Priority: Major
>              Labels: Docker
>
> Hadoop node manager REST API is authenticated using AuthenticationFilter from Hadoop-auth
project. AuthenticationFilter is added to the new WebSocket URL path spec. The requested remote
user is verified to match the container owner to allow WebSocket connection to be established.
WebSocket servlet code enforces the username match check.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message