HADOOP-19904. HttpServer2 access log does not record the authenticated user

[magnuma3]

Contains content generated by Claude Opus 4.7

Description of PR

HADOOP-19904

Problem

HttpServer2's access log always records - in the %u position even
for authenticated requests:
Affects every HttpServer2-backed daemon (NN/DN/RM/NM/HttpFS/KMS).

Root cause

AuthenticationFilter wraps HttpServletRequest so downstream
filters and servlets see the user via getRemoteUser(). The wrap
only flows through the filter chain. Jetty's RequestLogHandler
runs outside the chain on the base Request, whose
getAuthentication() stays as NOT_CHECKED forever.

Jetty's native auth path (jetty-security Authenticators) sets
Request.setAuthentication(...) directly, which is why standard
deployments don't have this issue. Hadoop avoids jetty-security
for container portability and pays this cost.

Fix

Add a static helper JettyAuthenticationHelper.publishRemoteUser(...)
in hadoop-auth that:

1. Reads the effective user (getRemoteUser() or an explicit name),
2. Calls Request.setAuthentication(...) on the base Request with
   a minimal inline Authentication.User (no jetty-security
   dependency),

Invocation sites cover the paths where the effective user is decided:

• AuthenticationFilter.doFilter(filterChain, request, response) —
  the protected hook called after wrapping. Subclasses
  (ProxyUserAuthenticationFilter, DelegationTokenAuthenticationFilter)
  wrap with doAs/UGI and route through super.doFilter, so this
  single hook covers them.
• DelegationTokenAuthenticationHandler.managementOperation for
  GETDELEGATIONTOKEN/RENEW/CANCEL — the handler writes the
  response inline and returns false, skipping the filter chain, so
  the helper is called directly there.
• JspHelper.getUGI for HDFS Web UI / WebHDFS servlets that resolve
  UGI outside the filter chain.

No HttpServer2 configuration changes required; calls are inline at
each path. Works for both Kerberos and pseudo-auth (both feed the
user through getRemoteUser() / requestUgi).

How was this patch tested?

Added unit tests and verified on an internal cluster

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

If an AI tool was used:

• The PR includes the phrase "Contains content generated by "
  where is the name of the AI tool used.
• My use of AI contributions follows the ASF legal policy
  https://www.apache.org/legal/generative-tooling.html

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 33s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+0 🆗	xmllint	0m 1s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 2 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	2m 18s		Maven dependency ordering for branch
+1 💚	mvninstall	42m 54s		trunk passed
+1 💚	compile	16m 7s		trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	compile	16m 27s		trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	checkstyle	5m 31s		trunk passed
+1 💚	mvnsite	4m 44s		trunk passed
+1 💚	javadoc	3m 50s		trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	javadoc	3m 51s		trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	spotbugs	8m 26s		trunk passed
+1 💚	shadedclient	31m 56s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 28s		Maven dependency ordering for patch
+1 💚	mvninstall	2m 59s		the patch passed
+1 💚	compile	15m 26s		the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	javac	15m 26s		the patch passed
+1 💚	compile	16m 44s		the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	javac	16m 44s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	5m 34s		the patch passed
+1 💚	mvnsite	4m 48s		the patch passed
+1 💚	javadoc	3m 52s		the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	javadoc	3m 52s		the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	spotbugs	8m 54s		the patch passed
+1 💚	shadedclient	32m 22s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	3m 36s		hadoop-auth in the patch passed.
+1 💚	unit	23m 14s		hadoop-common in the patch passed.
+1 💚	unit	218m 51s		hadoop-hdfs in the patch passed.
+1 💚	asflicense	1m 24s		The patch does not generate ASF License warnings.
		481m 27s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8521/1/artifact/out/Dockerfile
GITHUB PR	#8521
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle
uname	Linux ecadb1a4477c 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 4602350
Default Java	Ubuntu-17.0.18+8-Ubuntu-124.04.1
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.10+7-Ubuntu-124.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.18+8-Ubuntu-124.04.1
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8521/1/testReport/
Max. process+thread count	3427 (vs. ulimit of 10000)
modules	C: hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common hadoop-hdfs-project/hadoop-hdfs U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8521/1/console
versions	git=2.43.0 maven=3.9.15 spotbugs=4.9.7
Powered by	Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.