Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0E44C18A99 for ; Tue, 9 Feb 2016 22:39:36 +0000 (UTC) Received: (qmail 76948 invoked by uid 500); 9 Feb 2016 22:24:21 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 76646 invoked by uid 500); 9 Feb 2016 22:24:21 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 75831 invoked by uid 99); 9 Feb 2016 22:17:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Feb 2016 22:17:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id A15B42C1F70 for ; Tue, 9 Feb 2016 22:17:18 +0000 (UTC) Date: Tue, 9 Feb 2016 22:17:18 +0000 (UTC) From: "Allen Wittenauer (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HDFS-9760) WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-9760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Allen Wittenauer updated HDFS-9760: ----------------------------------- Resolution: Fixed Fix Version/s: 2.8.0 Status: Resolved (was: Patch Available) +1 committed to 2.8 thanks! > WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler > ---------------------------------------------------------------------------- > > Key: HDFS-9760 > URL: https://issues.apache.org/jira/browse/HDFS-9760 > Project: Hadoop HDFS > Issue Type: Bug > Components: webhdfs > Reporter: Ryan Sasson > Assignee: Ryan Sasson > Fix For: 2.8.0 > > Attachments: HDFS-9760.patch > > > Currently the WebHDFS AuthFilter selects its authentication type based on a call to UserGroupInformation.isSecurityEnabled() with only two choices, KerberosAuthentication or PsuedoAuthentication. Thus there is no condition where the WebHDFS server can be configured with a custom AltKerberos authentication handler. > Additionally, at the time the WebHDFS AuthFilter is initialized the method getAuthFilterParams(conf) is called in NameNodeHttpServer which picks and chooses a certain few configurations with the prefix 'dfs.web.authentication'. The issue is this method strips away the configuration that could set the authentication type AND additional configurations that are specific to the custom auth handler (using the prefix 'dfs.web.authentication.alt-kerberos'). > The consequence of this lack of configurability is that a user that makes authenticated access to the namenode web UI (through a custom authentication handler) will not be able to access the namenode file browser (because it is making ajax calls to WebHDFS that has a different authentication type). -- This message was sent by Atlassian JIRA (v6.3.4#6332)