hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhijie Shen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-2228) TimelineServer should load pseudo authentication filter when authentication = simple
Date Tue, 01 Jul 2014 09:20:24 GMT

     [ https://issues.apache.org/jira/browse/YARN-2228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Zhijie Shen updated YARN-2228:

    Attachment: YARN-2228.1.patch

Created a patch to make the following major changes:

1. Always load TimelineAuthentcationFilter when the timeline server is up.

2. Completely separate the timeline authentication configuration dependency from the common
part. All timeline authentication configurations start with "yarn.timeline-service.http.authentication".

3. When y.t.h.a.type = simple, TimelineAuthentcationFilter uses PseuodAuthenticationHandler
to process the request. It allow the timeline server to get the user name if the user specifies
"usern.name" in the URL param, and to use it as the owner of the entity that the user posts.
In this way, we can enable timeline ACLs even when kerberos authentication is not enabled
(aka insecure mode). When y.t.h.a.type = kerberos, everything works as before.

4. Updated TestTimelineWebServices to test ACLs under the "simple" authentication type instead
of mocking user name.

I've verified the patch locally in both secure and insecure cluster, which looked generally

> TimelineServer should load pseudo authentication filter when authentication = simple
> ------------------------------------------------------------------------------------
>                 Key: YARN-2228
>                 URL: https://issues.apache.org/jira/browse/YARN-2228
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>         Attachments: YARN-2228.1.patch
> When kerberos authentication is not enabled, we should let the timeline server to work
with pseudo authentication filter. In this way, the sever is able to detect the request user
by checking "user.name".
> On the other hand, timeline client should append "user.name" in un-secure case as well,
such that ACLs can keep working in this case. 

This message was sent by Atlassian JIRA

View raw message