hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-7119) add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles
Date Fri, 28 Jan 2011 22:00:52 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988263#action_12988263

Alejandro Abdelnur commented on HADOOP-7119:

Thanks for the comments/feedback.

*On not using {{hadoop.http.filter.initializers}}*

I've completely missed the existence of this. I'll refactor the patch to levarage it, it will
make the patch much simpler and won't have to mock around with the build.

*On why dependent upon a cookie*

HTTP SPNEGO takes care of the authentication protocol only, it does not take care of keeping
track of authenticated requests. Once the HTTP SPNEGO sequence is complete, you responsible
for keeping track of authenticated user-agents. That is where the cookie comes into play,
this is how most HTTP authentication mechanisms work and browsers support it.

Furthermore, if you would not use cookies, you would initiate an HTTP SPNEGO authentication
sequence on every request, which requires an extra HTTP round trip. This would be an expensive
operation. And it would work only with HTTP GET requests (I believe this would not be an issue
for today's Hadoop console).

*On why not using HttpComponents*

As far as I know, HttpComponents is client side only. This patch is using Alfredo server side
authentication capabilities, not the client ones.

I'l work in a new patch using hadoop.http.filter.initializers.


> add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles
> ----------------------------------------------------------------------------------
>                 Key: HADOOP-7119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7119
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>         Environment: all
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: ha-commons.patch
> Currently the JT/NN/DN/TT web-consoles don't support any form of authentication.
> Hadoop RPC API already supports Kerberos authentication.
> Kerberos enables single sign-on.
> Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP SPNEGO.
> Adding support for Kerberos HTTP SPNEGO to Hadoop web consoles would provide a unified
authentication mechanism and single sign-on for Hadoop web UI and Hadoop RPC.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message