You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2017/04/13 12:09:41 UTC
[jira] [Comment Edited] (HADOOP-14295) Authentication proxy filter
may fail authorization because of getRemoteAddr
[ https://issues.apache.org/jira/browse/HADOOP-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15967365#comment-15967365 ]
Wei-Chiu Chuang edited comment on HADOOP-14295 at 4/13/17 12:09 PM:
--------------------------------------------------------------------
Hi [~yuanbo] thanks for clarification.
bq. If we use a proxy server(Knox) to access Namenode log locally, it doesn't print the warning log. If we access Namenode log directly, then we should attach "x-forwarded-server", otherwise the warning log is unavoidable. It doesn't have impact on RM/NM because they don't use AuthenticationWithProxyUserFilter.java when they construct the filter chains.
bq. But I think the warning log is harmless, right? After all, it will ignore "x-forwarded-server" and fallback to getRemoteAddr if the value is empty.
Understood it's a harmless false positive. However, our customers often get confused and issue tickets when they see an unexpected warning message like this. I assume this happens to other Hadoop vendors too.
At least, could you change the message to admit this can be a false positive for NameNode?
was (Author: jojochuang):
Hi [~yuanbo] thanks for clarification.
bq. If we use a proxy server(Knox) to access Namenode log locally, it doesn't print the warning log. If we access Namenode log directly, then we should attach "x-forwarded-server", otherwise the warning log is unavoidable. It doesn't have impact on RM/NM because they don't use AuthenticationWithProxyUserFilter.java when they construct the filter chains.
But I think the warning log is harmless, right? After all, it will ignore "x-forwarded-server" and fallback to getRemoteAddr if the value is empty.
Understood it's a harmless false positive. However, our customers often get confused and issue tickets when they see an unexpected warning message like this. I assume this happens to other Hadoop vendors too.
At least, could you change the message to admit this can be a false positive for NameNode?
> Authentication proxy filter may fail authorization because of getRemoteAddr
> ---------------------------------------------------------------------------
>
> Key: HADOOP-14295
> URL: https://issues.apache.org/jira/browse/HADOOP-14295
> Project: Hadoop Common
> Issue Type: Bug
> Components: common
> Affects Versions: 2.7.4, 3.0.0-alpha2, 2.8.1
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Priority: Critical
> Fix For: 3.0.0-alpha2
>
> Attachments: hadoop-14295.001.patch, HADOOP-14295.002.patch, HADOOP-14295.003.patch
>
>
> When we turn on Hadoop UI Kerberos and try to access Datanode /logs the proxy (Knox) would get an Authorization failure and it hosts would should as 127.0.0.1 even though Knox wasn't in local host to Datanode, error message:
> {quote}
> "2017-04-08 07:01:23,029 ERROR security.AuthenticationWithProxyUserFilter (AuthenticationWithProxyUserFilter.java:getRemoteUser(94)) - Unable to verify proxy user: Unauthorized connection for super-user: knox from IP 127.0.0.1"
> {quote}
> We were able to figure out that Datanode have Jetty listening on localhost and that Netty is used to server request to DataNode, this was a measure to improve performance because of Netty Async NIO design.
> I propose to add a check for x-forwarded-for header since proxys usually inject that header before we do a getRemoteAddr
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org