[jira] [Commented] (HADOOP-16314) Make sure all end point URL is covered by the same AuthenticationFilter

Mon, 03 Jun 2019 16:40:24 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16855152#comment-16855152
 ] 

Eric Yang commented on HADOOP-16314:
------------------------------------

[~Prabhu Joseph] If I am reading patch 5 code correctly, this will ignore both 
AuthenticationFilter, and also ProxyUserAuthenticationFilter.  Is there another 
code path that is used to ensure ApplicationHistoryServer is protected?

{code}
diff --git 
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
 
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
index 4e3a1e6..11f1b07 100644
--- 
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
+++ 
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/ApplicationHistoryServer.java
@@ -28,8 +28,10 @@
 import org.apache.hadoop.http.HttpServer2;
 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
 import org.apache.hadoop.metrics2.source.JvmMetrics;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.security.HttpCrossOriginFilterInitializer;
 import org.apache.hadoop.security.SecurityUtil;
+import 
org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer;
 import org.apache.hadoop.service.CompositeService;
 import org.apache.hadoop.service.Service;
 import org.apache.hadoop.util.ExitUtil;
@@ -261,8 +263,15 @@ private void startWebApp() {
     }
     TimelineServerUtils.addTimelineAuthFilter(
         initializers, defaultInitializers, secretManagerService);
+
+    Set<String> ignoreInitializers = new LinkedHashSet<String>();
+    ignoreInitializers.add(AuthenticationFilterInitializer.class.getName());
+    ignoreInitializers.add(
+        ProxyUserAuthenticationFilterInitializer.class.getName());
+
     TimelineServerUtils.setTimelineFilters(
-        conf, initializers, defaultInitializers);
+        conf, initializers, defaultInitializers, ignoreInitializers);
+
     String bindAddress = WebAppUtils.getWebAppBindURL(conf,
                           YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
                           WebAppUtils.getAHSWebAppURLWithoutScheme(conf));
{code}

Is there any way to make the initialization code more straight forward?

> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-16314
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16314
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Eric Yang
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16314-001.patch, HADOOP-16314-002.patch, 
> HADOOP-16314-003.patch, HADOOP-16314-004.patch, HADOOP-16314-005.patch, 
> Hadoop Web Security.xlsx, scan.txt
>
>
> In the enclosed spreadsheet, it shows the list of web applications deployed 
> by Hadoop, and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent.  Most of entry point 
> do not support ?doAs parameter.  This creates problem for secure gateway like 
> Knox to proxy Hadoop web interface on behave of the end user.  When the 
> receiving end does not check for ?doAs flag, web interface would be accessed 
> using proxy user credential.  This can lead to all kind of security holes 
> using path traversal to exploit Hadoop. 
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to 
> solve the web impersonation problem.  This task is to track changes required 
> in Hadoop code base to apply authentication filter globally for each of the 
> web service port.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to