hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10671) Unify and simplify common configurations for authentication filters between web console and web hdfs
Date Fri, 13 Mar 2015 08:12:38 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14360089#comment-14360089
] 

Kai Zheng commented on HADOOP-10671:
------------------------------------

Sorry I'm late on this.

Without this change, the following properties may need be configured for web hdfs, in addition
to the similar ones with "hadoop.http" prefix for web UI:
{code}
### The following properties are for AuthenticationFilter ###
dfs.web.authentication.type #auth type
dfs.web.authentication.signature.secret # signature secret string value
dfs.web.authentication.token.validity
dfs.web.authentication.cookie.domain
dfs.web.authentication.cookie.path

#The following properties are for AuthenticationHandlers. It depends on auth type.
dfs.web.authentication.kerberos.principal
dfs.web.authentication.kerberos.keytab
dfs.web.authentication.kerberos.name.rules
...
{code}

With this change, all the above configuration properties can be avoided if we're using the
same auth filter and handler/type with web UI. We only need the ones like the following for
both web UI and web hdfs.
{code}
### The following properties are for AuthenticationFilter ###
hadoop.http.authentication.type #auth type
hadoop.http.authentication.signature.secret # signature secret string value
hadoop.http.authentication.token.validity
hadoop.http.authentication.cookie.domain
hadoop.http.authentication.cookie.path

#The following properties are for AuthenticationHandlers. It depends on auth type.
hadoop.http.authentication.kerberos.principal
hadoop.http.authentication.kerberos.keytab
hadoop.http.authentication.kerberos.name.rules
...
{code}

Makes sense ? Thanks for comments.

> Unify and simplify common configurations for authentication filters between web console
and web hdfs
> ----------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10671
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10671
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>         Attachments: HADOOP-10671-v3.patch, hadoop-10671-v2.patch, hadoop-10671.patch
>
>
> Currently it's not able to single sign on between hadoop web console and webhdfs since
they don't share common configurations as required to, such as signature secret to sign authenticaton
token, and domain cookie etc. This improvement would allow sso between the two, and also simplify
the configuration by removing the duplicate effort for the two parts.
> The sso makes sense because in current web console, it integrates webhdfs and we should
avoid redundant sign on in different mechanisms. This is necessary when a certain authentication
mechanism other than SPNEGO is desired across web console and webhdfs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message