You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2019/06/04 22:08:00 UTC

[jira] [Comment Edited] (HADOOP-16314) Make sure all end point URL is covered by the same AuthenticationFilter

    [ https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16856114#comment-16856114 ] 

Eric Yang edited comment on HADOOP-16314 at 6/4/19 10:07 PM:
-------------------------------------------------------------

[~Prabhu Joseph] Can you upload patch 6 again as patch 7?  The latest test report is inaccurate because the tested patch is different from patch 6.

Thanks for the explanation and briefly scan the code in DelegationTokenAuthenticationFilter.  I think both filters can interoperate together.  UI2 works fine when retrieving logs from timeline server.


was (Author: eyang):
[~Prabhu Joseph] Can you upload patch 6 again as patch 7?  The latest test report is inaccurate because the tested patch is different from patch 6.

> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-16314
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16314
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Eric Yang
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16314-001.patch, HADOOP-16314-002.patch, HADOOP-16314-003.patch, HADOOP-16314-004.patch, HADOOP-16314-005.patch, HADOOP-16314-006.patch, Hadoop Web Security.xlsx, scan.txt
>
>
> In the enclosed spreadsheet, it shows the list of web applications deployed by Hadoop, and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent.  Most of entry point do not support ?doAs parameter.  This creates problem for secure gateway like Knox to proxy Hadoop web interface on behave of the end user.  When the receiving end does not check for ?doAs flag, web interface would be accessed using proxy user credential.  This can lead to all kind of security holes using path traversal to exploit Hadoop. 
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to solve the web impersonation problem.  This task is to track changes required in Hadoop code base to apply authentication filter globally for each of the web service port.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org