[ https://issues.apache.org/jira/browse/YARN-8108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16474510#comment-16474510 ]
Eric Yang commented on YARN-8108: --------------------------------- Kerberos SPN support by browser definition are: HTTP/<host name>, where <host name> is either white list server name or canonical DNS name of the server. Chrome, IE, and Firefox all shares the similar logic. Firefox and IE don't allow canonical DNS to prevent MITM attack. Safari and Chrome supports canonical DNS with options to disable canonical DNS. >From Server point of view, a single server can host multiple virtual hosts >with different web applications. This is technically possible to configure >web server to run with multiple SPN. It is incorrect to assume that same >virtual host can serve two different SPN for two different subset of URLs. >All browsers do not support subset of URLs to be served by one SPN, while >other subset of URLs to be served by another SPN. In Hadoop 0.2x, Hadoop components are designed to serve a collection of servlets (log, static, cluster) per port. Therefore, AuthenticationFilter can cover the entire port by targeting the fixed set of servlet for filtering, that matches browser expectation without problem. AuthenticationFilter was later reused in Hadoop 1.x and 2.x as Kerberos SPNEGO filter. The current problem is only surfaced when multiple web contexts are configured to share on the same port with same server hostname, and each web contexts tried to initialize its own SPN. This is not by design and it just happened due to code reuse and lack of testing. For Hadoop 2.x+ to offer embedded services securely, the individual AuthenticationFilter can be turned into one [security handler|http://www.eclipse.org/jetty/documentation/9.3.x/architecture.html#_handlers] to match Jetty design specification. This fall through the crack in open source when no one is looking because the first security mechanism for Hadoop was to implement a XSS filter (was committed as part of Chukwa) instead of security handler. Unfortunately, Hadoop security mechanisms followed the bottom up approach to implement as filter instead of following web application design to write security handler as Handlers. Due to lack of understanding that session persistence require authentication and authorization security mechanism to be built differently from web filters. The one line change is to loop through all Context and ensure all contexts are registered with the same AuthenticationFilter to apply one filter globally to all URLs. This is the reason that this one line patch can plug this security hole in the short term bug fix. The long term solution is writing security handler to match handler design to ensure no API breakage during jetty version upgrade and improve session persistence in Hadoop web applications, which is beyond the scope of this JIRA. > RM metrics rest API throws GSSException in kerberized environment > ----------------------------------------------------------------- > > Key: YARN-8108 > URL: https://issues.apache.org/jira/browse/YARN-8108 > Project: Hadoop YARN > Issue Type: Bug > Affects Versions: 3.0.0 > Reporter: Kshitij Badani > Assignee: Eric Yang > Priority: Blocker > Attachments: YARN-8108.001.patch > > > Test is trying to pull up metrics data from SHS after kiniting as 'test_user' > It is throwing GSSException as follows > {code:java} > b2b460b80713|RUNNING: curl --silent -k -X GET -D > /hwqe/hadoopqe/artifacts/tmp-94845 --negotiate -u : > http://rm_host:8088/proxy/application_1518674952153_0070/metrics/json2018-02-15 > 07:15:48,757|INFO|MainThread|machine.py:194 - > run()||GUID=fc5a3266-28f8-4eed-bae2-b2b460b80713|Exit Code: 0 > 2018-02-15 07:15:48,758|INFO|MainThread|spark.py:1757 - > getMetricsJsonData()|metrics: > <html> > <head> > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > <title>Error 403 GSSException: Failure unspecified at GSS-API level > (Mechanism level: Request is a replay (34))</title> > </head> > <body><h2>HTTP ERROR 403</h2> > <p>Problem accessing /proxy/application_1518674952153_0070/metrics/json. > Reason: > <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level: > Request is a replay (34))</pre></p> > </body> > </html> > {code} > Rootcausing :Â proxyserver on RM can't be supported for Kerberos enabled > cluster because AuthenticationFilter is applied twice in Hadoop code (once in > httpServer2 for RM, and another instance from AmFilterInitializer for proxy > server). This will require code changes to hadoop-yarn-server-web-proxy > project -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org