Return-Path: X-Original-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 01D9F1013E for ; Wed, 11 Sep 2013 19:32:32 +0000 (UTC) Received: (qmail 36906 invoked by uid 500); 11 Sep 2013 19:32:27 -0000 Delivered-To: apmail-hadoop-hdfs-user-archive@hadoop.apache.org Received: (qmail 36813 invoked by uid 500); 11 Sep 2013 19:32:27 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 36801 invoked by uid 99); 11 Sep 2013 19:32:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Sep 2013 19:32:26 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of visioner.sadak@gmail.com designates 209.85.220.181 as permitted sender) Received: from [209.85.220.181] (HELO mail-vc0-f181.google.com) (209.85.220.181) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Sep 2013 19:32:22 +0000 Received: by mail-vc0-f181.google.com with SMTP id hz10so6411091vcb.40 for ; Wed, 11 Sep 2013 12:32:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=abECb+zv7ruQWryuDe53GTx/MKuvS/Cexk2VAufUxf0=; b=RrYgEjOUN8AT8DtO+c2oCnboFk9ANqXh0zyF3zcGahGiQL7u4Mr9FQL/UsCEJ8EDuT yQmuY+v07ptC9ycoNwI8BABt7NnrebHWy+Y+0KQXLFFvKAF6AyaO9XD84qi3L04yc1c+ IIVT9WhYreIFnGtmnrK6hlaDtGGD/4I1R/l90VHb/0dfxzOK2FVdKvt69hZX01bEmN8T e4ph8cdXTuugwMUIqfODVzsDjalHANVxKjvaW0KbB33ucqZdVQFdukoHsh02t85b21Pb k4mLwRGNdH2+Tvw2gXGu3hfEKOrlNERFCA/E4h2/oGTxfVOMjeFkUnuQGhYeJ2RKt2at 46vg== MIME-Version: 1.0 X-Received: by 10.220.74.69 with SMTP id t5mr2755636vcj.18.1378927921857; Wed, 11 Sep 2013 12:32:01 -0700 (PDT) Received: by 10.52.188.104 with HTTP; Wed, 11 Sep 2013 12:32:01 -0700 (PDT) In-Reply-To: References: Date: Thu, 12 Sep 2013 01:02:01 +0530 Message-ID: Subject: Re: hadoop web UI security From: Visioner Sadak To: user@hadoop.apache.org Content-Type: multipart/alternative; boundary=047d7b624cbef40c5104e620ac31 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b624cbef40c5104e620ac31 Content-Type: text/plain; charset=ISO-8859-1 Ohh god i think i have messed up!!!!!! badly............ I think my only option is to go for custom writing an AuthenticatorHandler as mentioned here http://hadoop.apache.org/docs/stable/HttpAuthentication.html does anyone know any links on how to do it...... Thanks a lot harsh........... On Wed, Sep 11, 2013 at 9:37 PM, Harsh J wrote: > What you're seeing is the right behavior for the auth type "simple". > It just expects a username, and doesn't do anything other than that - > i.e. there's no passwords/etc. or a user list to cross-reference to. > > For securing properly, you'd either need to use kerberos, or develop > your own HTTP auth filter that allows only certain usernames or > expects a password string too/do some other auth mechanism/etc. > > On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak > wrote: > > Hello friends i m using the below configuration to hide hadoop web UI > the > > problem is that when i access > > > > http://192.34.8.8:50070/ it works properly and blocks access but > when i > > use > > > > > > http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any > > username)...... it failes and allows access even if i set my signature > > username as hadoopuser > > > > its allowing access for any username > > > > > > > > hadoop.http.filter.initializers > > > org.apache.hadoop.security.AuthenticationFilterInitializer > > > > > > > > hadoop.http.authentication.type > > simple > > > > > > > > hadoop.http.authentication.token.validity > > 60 > > > > > > > > hadoop.http.authentication.signature.secret.file > > /home/hadoop/hadoop-0.23.3/conf/security/username > > > > > > > > hadoop.http.authentication.cookie.domain > > > > > > > > > > > > hadoop.http.authentication.simple.anonymous.allowed > > false > > > > > > -- > Harsh J > --047d7b624cbef40c5104e620ac31 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Ohh god i think i have messed up!!!!!! badly............ = =A0I think my only option is to go for custom=A0writing an=A0http://hadoop.apache.org/do= cs/stable/HttpAuthentication.html
does anyone know any links on how to do it......

= =A0Thanks a lot harsh...........



On Wed, Sep 11, 2013 at 9:37 = PM, Harsh J <harsh@cloudera.com> wrote:
What you're seeing is the right behavior= for the auth type "simple".
It just expects a username, and doesn't do anything other than that - i.e. there's no passwords/etc. or a user list to cross-reference to.
For securing properly, you'd either need to use kerberos, or develop your own HTTP auth filter that allows only certain usernames or
expects a password string too/do some other auth mechanism/etc.

On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
<visioner.sadak@gmail.com> wrote:
> Hello friends i m using = the below configuration to hide hadoop web UI =A0the
> problem is that when i access
>
> http://192.34.8= .8:50070/ =A0 =A0it =A0works properly and blocks access but when i
> use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=3Db= lahblahh(any
> username)...... it failes and allows access even if i set my signature=
> username as hadoopuser
>
> its allowing =A0access for any =A0username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> =A0<value>org.apache.hadoop.security.AuthenticationFilterInitial= izer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> =A0<value>simple</value>
> </property>
>
> <property>
> =A0<name>hadoop.http.authentication.token.validity</name><= br> > =A0<value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name&= gt;
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</val= ue>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</na= me>
> <value>false</value>
> </property>



--
Harsh J

--047d7b624cbef40c5104e620ac31--