[jira] [Commented] (HADOOP-16366) Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer

Wed, 12 Jun 2019 17:11:57 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16862580#comment-16862580
 ] 

Eric Yang commented on HADOOP-16366:
------------------------------------

[~Prabhu Joseph] I am not sure about renaming SPNEGO_FILTER back is necessary.  
I purposely made SPNEGO_FILTER the same as authentication filter to ensure 
there is no overlap between multiple filters that are assigned to validate 
kerberos tgt.  Hence, server side redirection would work properly.  This is 
because RM and webproxy may try to use different filters.  By making them the 
same name, only one is initialized globally.  Can you explain the reason for 
renaming this back?

> Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-16366
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16366
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16366-001.patch, HADOOP-16366-002.patch
>
>
> YARNUIV2 fails with "Request is a replay attack" when below settings 
> configured.
> {code:java}
> hadoop.security.authentication = kerberos
> hadoop.http.authentication.type = kerberos
> hadoop.http.filter.initializers = 
> org.apache.hadoop.security.AuthenticationFilterInitializer
> yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = false{code}
>  AuthenticationFilter is added twice by the Yarn UI2 Context causing the 
> issue.
> {code:java}
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil 
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter 
> Name:authentication, 
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil 
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter 
> Name:authentication, 
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> {code}
>  
> Another issue with {{TimelineReaderServer}} which ignores 
> {{ProxyUserAuthenticationFilterInitializer}} when 
> {{hadoop.http.filter.initializers}} is configured.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to