hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-7119) add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles
Date Fri, 28 Jan 2011 09:54:46 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988016#action_12988016
] 

Alejandro Abdelnur commented on HADOOP-7119:
--------------------------------------------

Regarding previous comment by Hadoop QA, "-1 on tests included"

The patch adds a filter in front of the JSP in hadoop-hdfs and hadoop-mapreduce. 

The logic of this filter is implemented in Alfredo and tested in Alfredo build.

The manual steps for testing this patch set are:

* build Hadoop 
* install Hadoop

Testing Hadoop with pseudo/simple authentication:

* start Hadoop
* check that HTTP web-consoles work (as usual)
* stop Hadoop
* add, in core-site.xml, the property 
**hadoop.http.authentication.simple.anonymous.allowed=false
* start Hadoop
* try to access HTTP web-consoles, it will return 401 (unauthorized)
* access HTTP web-consoles using the query string *?user.name=foo*

Testing Hadoop with kerberos authentication:

* make sure KDC is running (assuming realm name is REALM)
* create a principal HTTP/localhost@REALM, create ~/hadoop.keytab file with its credentials
* make sure there are not kerberos credentials in the OS cache, run kdestroy
* add, in core-site.xml, the following properties 
** hadoop.http.authentication.type=kerberos
** hadoop.http.authentication.kerberos.principal=HTTP/localhost@REALM
** hadoop.http.authentication.kerberos.keytab=${user.home}/hadoop.keytab
* restart hadoop
* try to access HTTP web-consoles, it will return 401 (unauthorized) or the browser will attempt
to initiate a kerberos session
* do kinit to initiate a kerberos session
* access HTTP web-consoles using a browser that supports HTTP SPNEGO (Firefox or IE)



> add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-7119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7119
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>         Environment: all
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: ha-commons.patch
>
>
> Currently the JT/NN/DN/TT web-consoles don't support any form of authentication.
> Hadoop RPC API already supports Kerberos authentication.
> Kerberos enables single sign-on.
> Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP SPNEGO.
> Adding support for Kerberos HTTP SPNEGO to Hadoop web consoles would provide a unified
authentication mechanism and single sign-on for Hadoop web UI and Hadoop RPC.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message