[jira] [Commented] (YARN-8790) Authentication Filter change to force security check

Thu, 04 Oct 2018 16:48:51 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-8790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639039#comment-16639039
 ] 

Eric Yang commented on YARN-8790:
---------------------------------

Using curl as sanity test with YARN-8763 patch 004, and verified the container 
shell websocket is protected by AuthenticationFilter:

{code}
curl -i --negotiate -u : -H 'Upgrade: websocket' -H 'Connection: Upgrade' -H 
'Sec-WebSocket-Version: 13' -H 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==' 
http://hadoop.example.com:8042/container/v1
HTTP/1.1 401 Authentication required
Date: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Domain=example.com; HttpOnly
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 272

HTTP/1.1 101 Switching Protocols
Date: Thu, 04 Oct 2018 21:02:22 GMT
Cache-Control: no-cache
Expires: Thu, 04 Oct 2018 21:02:22 GMT
Date: Thu, 04 Oct 2018 21:02:22 GMT
Pragma: no-cache
Content-Type: text/plain;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
WWW-Authenticate: Negotiate 
YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCP+d4BKPjrGJcC8EEDX5by19u6EetMvscxmkmImFrRFZCT+EdKYbaBIaNn9/Td/fmIW6EOQeXBy6T8UMmAP2588qi
Set-Cookie: 
hadoop.auth="u=hbase&p=hbase/hadoop.example....@example.com&t=kerberos&e=1538722942268&s=DPKQ5Q58BR7LqZTkw2EyhLNpFN3MggMRJzX49SipyYE=";
 Path=/; Domain=example.com; HttpOnly
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Upgrade: WebSocket
{code}

> Authentication Filter change to force security check 
> -----------------------------------------------------
>
>                 Key: YARN-8790
>                 URL: https://issues.apache.org/jira/browse/YARN-8790
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zian Chen
>            Priority: Major
>              Labels: Docker
>
> Hadoop node manager REST API is authenticated using AuthenticationFilter from 
> Hadoop-auth project. AuthenticationFilter is added to the new WebSocket URL 
> path spec. The requested remote user is verified to match the container owner 
> to allow WebSocket connection to be established. WebSocket servlet code 
> enforces the username match check.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to