You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2017/04/11 11:20:41 UTC

[jira] [Comment Edited] (HADOOP-14295) Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr

    [ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15964158#comment-15964158 ] 

Wei-Chiu Chuang edited comment on HADOOP-14295 at 4/11/17 11:20 AM:
--------------------------------------------------------------------

Hello [~jeffreyr97] thanks for filing this.
IIUC, AuthenticationWithProxyUserFilter was added in HADOOP-13119, which was fixed in 2.7.4, 3.0.0-alpha2, 2.8.1, and therefore please update affects versions and target versions accordingly.

Also, it would be awesome if you could also attach a test case. Thanks!


was (Author: jojochuang):
Hello [~jeffreyr97] thanks for filing this.
IIUC, AuthenticationWithProxyUserFilter was added in HADOOP-13119, which was fixed in 2.7.4, 3.0.0-alpha2, 2.8.1, and therefore please update affects versions and target versions accordingly.

> Authentication proxy filter on firewall cluster may fail authorization because of getRemoteAddr
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14295
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14295
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 3.0.0-alpha2
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>            Priority: Critical
>             Fix For: 3.0.0-alpha2
>
>         Attachments: hadoop-14295.001.patch
>
>
> Many production environments use firewalls to protect network traffic. In the specific case of DataNode UI and other Hadoop server for which their ports may fall on the list of firewalled ports the org.apache.hadoop.security.AuthenticationWithProxyUserFilter user getRemotAdd (HttpServletRequest) which may return the firewall host such as 127.0.0.1.
> This is unfortunately bad since if you are using a proxy in addition to do perimeter protection, and you have added your proxy as a super user when  checking for the proxy IP to authorize user this would fail since getRemoteAdd would return the IP of the firewall (127.0.0.1).
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> I propese to add a check for x-forwarded-for header since proxys usually inject that header before we do a getRemoteAddr



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org