[
https://issues.apache.org/jira/browse/HADOOP-16366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16863238#comment-16863238
]
Eric Yang commented on HADOOP-16366:
------------------------------------
[~Prabhu Joseph] Thank you for the explanation from your point of view.
SpnegoFilter code path was a good effort to centralize AuthenticationFilter
initialization for all web application. Except other developers have made
added extensions to make authentication filter independent of SpnegoFilter.
Since both code paths are in use and both are meant to cover all paths
globally. It may create more problems if we allow FilterHolder for
SpnegoFilter to report something that is not running. SpnegoFilter and
authentication filter are attached to different web application context,
therefore, it doesn't overlap in general. The only case that they would
overlap is using embedded web proxy with resource manager. Resource manager
servlet are written as web filters, and attaching to the same web application
context as web proxy. In this case, we are using authentication filter because
webproxy keytab and principal were not specified in config. If we report
SpnegoFilter with null path to down stream logic, it would be incorrect because
resource manager has authentication filter for resource manager web application
context.
This is the reason that I object to the one line change. Do you see any
problem, if the one line fix is not in place?
> Fix TimelineReaderServer ignores ProxyUserAuthenticationFilterInitializer
> -------------------------------------------------------------------------
>
> Key: HADOOP-16366
> URL: https://issues.apache.org/jira/browse/HADOOP-16366
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.3.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16366-001.patch, HADOOP-16366-002.patch
>
>
> YARNUIV2 fails with "Request is a replay attack" when below settings
> configured.
> {code:java}
> hadoop.security.authentication = kerberos
> hadoop.http.authentication.type = kerberos
> hadoop.http.filter.initializers =
> org.apache.hadoop.security.AuthenticationFilterInitializer
> yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled = false{code}
> AuthenticationFilter is added twice by the Yarn UI2 Context causing the
> issue.
> {code:java}
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter
> Name:authentication,
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> 2019-06-12 11:59:43,900 INFO webapp.RMWebAppUtil
> (RMWebAppUtil.java:addFiltersForUI2Context(483)) - UI2 context filter
> Name:authentication,
> className=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> {code}
>
> Another issue with {{TimelineReaderServer}} which ignores
> {{ProxyUserAuthenticationFilterInitializer}} when
> {{hadoop.http.filter.initializers}} is configured.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
