You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/10/04 23:33:00 UTC

[jira] [Commented] (YARN-8790) Authentication Filter change to force security check

    [ https://issues.apache.org/jira/browse/YARN-8790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639039#comment-16639039 ] 

Eric Yang commented on YARN-8790:
---------------------------------

Using curl as sanity test with YARN-8763 patch 004, and verified the container shell websocket is protected by AuthenticationFilter:

{code}
curl -i --negotiate -u : -H 'Upgrade: websocket' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version: 13' -H 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==' http://hadoop.example.com:8042/container/v1
HTTP/1.1 401 Authentication required
Date: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Domain=example.com; HttpOnly
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 272

HTTP/1.1 101 Switching Protocols
Date: Thu, 04 Oct 2018 21:02:22 GMT
Cache-Control: no-cache
Expires: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
Content-Type: text/plain;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCP+d4BKPjrGJcC8EEDX5by19u6EetMvscxmkmImFrRFZCT+EdKYbaBIaNn9/Td/fmIW6EOQeXBy6T8UMmAP2588qi
Set-Cookie: hadoop.auth="u=hbase&p=hbase/hadoop.example.com@EXAMPLE.COM&t=kerberos&e=1538722942268&s=DPKQ5Q58BR7LqZTkw2EyhLNpFN3MggMRJzX49SipyYE="; Path=/; Domain=example.com; HttpOnly
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Upgrade: WebSocket
{code}

> Authentication Filter change to force security check 
> -----------------------------------------------------
>
>                 Key: YARN-8790
>                 URL: https://issues.apache.org/jira/browse/YARN-8790
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zian Chen
>            Priority: Major
>              Labels: Docker
>
> Hadoop node manager REST API is authenticated using AuthenticationFilter from Hadoop-auth project. AuthenticationFilter is added to the new WebSocket URL path spec. The requested remote user is verified to match the container owner to allow WebSocket connection to be established. WebSocket servlet code enforces the username match check.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org