[jira] [Moved] (HADOOP-19904) HttpServer2 access log does not record the authenticated user

Tue, 26 May 2026 21:07:07 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-19904?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

KWON BYUNGCHANG moved HDFS-17928 to HADOOP-19904:
-------------------------------------------------

        Key: HADOOP-19904  (was: HDFS-17928)
    Project: Hadoop Common  (was: Hadoop HDFS)

> HttpServer2 access log does not record the authenticated user
> -------------------------------------------------------------
>
>                 Key: HADOOP-19904
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19904
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: KWON BYUNGCHANG
>            Priority: Major
>              Labels: pull-request-available
>
> h2. Problem
> HttpServer2's access log always records `-` in the `%u` position even
> for authenticated requests:
> Affects every HttpServer2-backed daemon (NN/DN/RM/NM/HttpFS/KMS).
>  
> h2. Root cause
> `AuthenticationFilter` wraps `HttpServletRequest` so downstream
> filters and servlets see the user via `getRemoteUser()`. The wrap
> only flows through the filter chain. Jetty's `RequestLogHandler`
> runs outside the chain on the base `Request`, whose
> `getAuthentication()` stays as `NOT_CHECKED` forever.
>  
> Jetty's native auth path (`jetty-security` Authenticators) sets
> `Request.setAuthentication(...)` directly, which is why standard
> deployments don't have this issue. Hadoop avoids `jetty-security`
> for container portability and pays this cost.
>  
> h2. Fix
> Install a small Servlet `Filter` (in hadoop-common) after the
> auth filters that:
>  
> 1. Reads `getRemoteUser()` from the wrapped request,
> 2. Calls `Request.setAuthentication(...)` on the base `Request`
> with a minimal inline `Authentication.User` (no
> `jetty-security` dependency).
>  
> `HttpServer2.initializeWebServer` installs it automatically after
> `FilterInitializer`s; no configuration needed. Works for both
> Kerberos and pseudo-auth — both feed the user through
> `getRemoteUser()`.
>  
> h2. Known gap
> `DelegationTokenAuthenticationHandler.managementOperation` writes
> its response inline and returns `false`, so `AuthenticationFilter`
> skips `filterChain.doFilter`. The bridge filter doesn't run for
> token mgmt requests; the handler attaches directly there.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to