[ https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16855152#comment-16855152 ]
Eric Yang commented on HADOOP-16314: ------------------------------------ [~Prabhu Joseph] If I am reading patch 5 code correctly, this will ignore both AuthenticationFilter, and also ProxyUserAuthenticationFilter. Is there another code path that is used to ensure ApplicationHistoryServer is protected? {code} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java index 4e3a1e6..11f1b07 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java @@ -28,8 +28,10 @@ import org.apache.hadoop.http.HttpServer2; import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; import org.apache.hadoop.metrics2.source.JvmMetrics; +import org.apache.hadoop.security.AuthenticationFilterInitializer; import org.apache.hadoop.security.HttpCrossOriginFilterInitializer; import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer; import org.apache.hadoop.service.CompositeService; import org.apache.hadoop.service.Service; import org.apache.hadoop.util.ExitUtil; @@ -261,8 +263,15 @@ private void startWebApp() { } TimelineServerUtils.addTimelineAuthFilter( initializers, defaultInitializers, secretManagerService); + + Set<String> ignoreInitializers = new LinkedHashSet<String>(); + ignoreInitializers.add(AuthenticationFilterInitializer.class.getName()); + ignoreInitializers.add( + ProxyUserAuthenticationFilterInitializer.class.getName()); + TimelineServerUtils.setTimelineFilters( - conf, initializers, defaultInitializers); + conf, initializers, defaultInitializers, ignoreInitializers); + String bindAddress = WebAppUtils.getWebAppBindURL(conf, YarnConfiguration.TIMELINE_SERVICE_BIND_HOST, WebAppUtils.getAHSWebAppURLWithoutScheme(conf)); {code} Is there any way to make the initialization code more straight forward? > Make sure all end point URL is covered by the same AuthenticationFilter > ----------------------------------------------------------------------- > > Key: HADOOP-16314 > URL: https://issues.apache.org/jira/browse/HADOOP-16314 > Project: Hadoop Common > Issue Type: Sub-task > Components: security > Reporter: Eric Yang > Assignee: Prabhu Joseph > Priority: Major > Attachments: HADOOP-16314-001.patch, HADOOP-16314-002.patch, > HADOOP-16314-003.patch, HADOOP-16314-004.patch, HADOOP-16314-005.patch, > Hadoop Web Security.xlsx, scan.txt > > > In the enclosed spreadsheet, it shows the list of web applications deployed > by Hadoop, and filters applied to each entry point. > Hadoop web protocol impersonation has been inconsistent. Most of entry point > do not support ?doAs parameter. This creates problem for secure gateway like > Knox to proxy Hadoop web interface on behave of the end user. When the > receiving end does not check for ?doAs flag, web interface would be accessed > using proxy user credential. This can lead to all kind of security holes > using path traversal to exploit Hadoop. > In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to > solve the web impersonation problem. This task is to track changes required > in Hadoop code base to apply authentication filter globally for each of the > web service port. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org