[
https://issues.apache.org/jira/browse/YARN-8108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16474510#comment-16474510
]
Eric Yang commented on YARN-8108:
---------------------------------
Kerberos SPN support by browser definition are:
HTTP/<host name>, where <host name> is either white list server name or
canonical DNS name of the server. Chrome, IE, and Firefox all shares the
similar logic. Firefox and IE don't allow canonical DNS to prevent MITM
attack. Safari and Chrome supports canonical DNS with options to disable
canonical DNS.
>From Server point of view, a single server can host multiple virtual hosts
>with different web applications. This is technically possible to configure
>web server to run with multiple SPN. It is incorrect to assume that same
>virtual host can serve two different SPN for two different subset of URLs.
>All browsers do not support subset of URLs to be served by one SPN, while
>other subset of URLs to be served by another SPN.
In Hadoop 0.2x, Hadoop components are designed to serve a collection of
servlets (log, static, cluster) per port. Therefore, AuthenticationFilter can
cover the entire port by targeting the fixed set of servlet for filtering, that
matches browser expectation without problem. AuthenticationFilter was later
reused in Hadoop 1.x and 2.x as Kerberos SPNEGO filter.
The current problem is only surfaced when multiple web contexts are configured
to share on the same port with same server hostname, and each web contexts
tried to initialize its own SPN. This is not by design and it just happened
due to code reuse and lack of testing. For Hadoop 2.x+ to offer embedded
services securely, the individual AuthenticationFilter can be turned into one
[security
handler|http://www.eclipse.org/jetty/documentation/9.3.x/architecture.html#_handlers]
to match Jetty design specification. This fall through the crack in open
source when no one is looking because the first security mechanism for Hadoop
was to implement a XSS filter (was committed as part of Chukwa) instead of
security handler. Unfortunately, Hadoop security mechanisms followed the
bottom up approach to implement as filter instead of following web application
design to write security handler as Handlers. Due to lack of understanding
that session persistence require authentication and authorization security
mechanism to be built differently from web filters.
The one line change is to loop through all Context and ensure all contexts are
registered with the same AuthenticationFilter to apply one filter globally to
all URLs. This is the reason that this one line patch can plug this security
hole in the short term bug fix. The long term solution is writing security
handler to match handler design to ensure no API breakage during jetty version
upgrade and improve session persistence in Hadoop web applications, which is
beyond the scope of this JIRA.
> RM metrics rest API throws GSSException in kerberized environment
> -----------------------------------------------------------------
>
> Key: YARN-8108
> URL: https://issues.apache.org/jira/browse/YARN-8108
> Project: Hadoop YARN
> Issue Type: Bug
> Affects Versions: 3.0.0
> Reporter: Kshitij Badani
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-8108.001.patch
>
>
> Test is trying to pull up metrics data from SHS after kiniting as 'test_user'
> It is throwing GSSException as follows
> {code:java}
> b2b460b80713|RUNNING: curl --silent -k -X GET -D
> /hwqe/hadoopqe/artifacts/tmp-94845 --negotiate -u :
> http://rm_host:8088/proxy/application_1518674952153_0070/metrics/json2018-02-15
> 07:15:48,757|INFO|MainThread|machine.py:194 -
> run()||GUID=fc5a3266-28f8-4eed-bae2-b2b460b80713|Exit Code: 0
> 2018-02-15 07:15:48,758|INFO|MainThread|spark.py:1757 -
> getMetricsJsonData()|metrics:
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 GSSException: Failure unspecified at GSS-API level
> (Mechanism level: Request is a replay (34))</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /proxy/application_1518674952153_0070/metrics/json.
> Reason:
> <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Request is a replay (34))</pre></p>
> </body>
> </html>
> {code}
> Rootcausing :Â proxyserver on RM can't be supported for Kerberos enabled
> cluster because AuthenticationFilter is applied twice in Hadoop code (once in
> httpServer2 for RM, and another instance from AmFilterInitializer for proxy
> server). This will require code changes to hadoop-yarn-server-web-proxy
> project
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
