hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Sasson (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-9760) WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler
Date Thu, 04 Feb 2016 22:18:39 GMT
Ryan Sasson created HDFS-9760:
---------------------------------

             Summary: WebHDFS AuthFilter cannot be configured with custom AltKerberos auth
handler
                 Key: HDFS-9760
                 URL: https://issues.apache.org/jira/browse/HDFS-9760
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: webhdfs
            Reporter: Ryan Sasson
            Assignee: Ryan Sasson


Currently the WebHDFS AuthFilter selects its authentication type based on a call to UserGroupInformation.isSecurityEnabled()
with only two choices, KerberosAuthentication or PsuedoAuthentication. Thus there is no condition
where the WebHDFS server can be configured with a custom AltKerberos authentication handler.

Additionally, at the time the WebHDFS AuthFilter is initialized the method getAuthFilterParams(conf)
is called in NameNodeHttpServer which picks and chooses a certain few configurations with
the prefix 'dfs.web.authentication'. The issue is this method strips away the configuration
that could set the authentication type AND additional configurations that are specific to
the custom auth handler (using the prefix 'dfs.web.authentication.alt-kerberos').

The consequence of this lack of configurability is that a user that makes authenticated access
to the namenode web UI (through a custom authentication handler) will not be able to access
the namenode file browser (because it is making ajax calls to WebHDFS that has a different
authentication type). 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message