KWON BYUNGCHANG created HDFS-17928:
--------------------------------------
Summary: HttpServer2 access log does not record the authenticated
user
Key: HDFS-17928
URL: https://issues.apache.org/jira/browse/HDFS-17928
Project: Hadoop HDFS
Issue Type: Bug
Reporter: KWON BYUNGCHANG
## Problem
HttpServer2's access log always records `-` in the `%u` position even
for authenticated requests:
Affects every HttpServer2-backed daemon (NN/DN/RM/NM/HttpFS/KMS).
## Root cause
`AuthenticationFilter` wraps `HttpServletRequest` so downstream
filters and servlets see the user via `getRemoteUser()`. The wrap
only flows through the filter chain. Jetty's `RequestLogHandler`
runs outside the chain on the base `Request`, whose
`getAuthentication()` stays as `NOT_CHECKED` forever.
Jetty's native auth path (`jetty-security` Authenticators) sets
`Request.setAuthentication(...)` directly, which is why standard
deployments don't have this issue. Hadoop avoids `jetty-security`
for container portability and pays this cost.
## Fix
Install a small Servlet `Filter` (in hadoop-common) after the
auth filters that:
1. Reads `getRemoteUser()` from the wrapped request,
2. Calls `Request.setAuthentication(...)` on the base `Request`
with a minimal inline `Authentication.User` (no
`jetty-security` dependency).
`HttpServer2.initializeWebServer` installs it automatically after
`FilterInitializer`s; no configuration needed. Works for both
Kerberos and pseudo-auth — both feed the user through
`getRemoteUser()`.
## Known gap
`DelegationTokenAuthenticationHandler.managementOperation` writes
its response inline and returns `false`, so `AuthenticationFilter`
skips `filterChain.doFilter`. The bridge filter doesn't run for
token mgmt requests; the handler attaches directly there.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
