hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-2247) Allow RM web services users to authenticate using delegation tokens
Date Wed, 23 Jul 2014 14:46:40 GMT

     [ https://issues.apache.org/jira/browse/YARN-2247?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Varun Vasudev updated YARN-2247:
--------------------------------

    Attachment: apache-yarn-2247.4.patch

{quote}
Varun Vasudev, thanks for your patience on my comments. The new patch looks almost good to
me. Just some nits:

1. Should not be necessary. Always load TimelineAuthenticationFilter. With "simple" type,
still the pseudo handler is to used.
{noformat}
+    if (authType.equals("simple") && !UserGroupInformation.isSecurityEnabled()) {
+      container.addFilter("authentication",
+        AuthenticationFilter.class.getName(), filterConfig);
+      return;
+    }
{noformat}
{quote}
Good point. Fixed.

{quote}
2. Check not null first for testMiniKDC and rm? Same for TestRMWebappAuthentication
{noformat}
+    testMiniKDC.stop();
+    rm.stop();
{noformat}
{quote}
Fixed.

{quote}
3. I didn't find the logic to forbid it. Anyway, is it good to mention it in the document
as well?
{noformat}
+  // Test to make sure that we can't do delegation token
+  // functions using just delegation token auth
{noformat}
{quote}
The test is in RMWebServices.
{noformat}
callerUGI = createKerberosUserGroupInformation(hsr);
{noformat}
which in turn has this check 
{noformat}
    String authType = hsr.getAuthType();
    if (!KerberosAuthenticationHandler.TYPE.equals(authType)) {
      String msg =
          "Delegation token operations can only be carried out on a "
              + "Kerberos authenticated channel";
      throw new YarnException(msg);
    }
{noformat}

I've documented it under the delegation token rest API section:
{noformat}
 All delegation token requests must be carried out on a Kerberos authenticated connection(using
SPNEGO).
{noformat}

> Allow RM web services users to authenticate using delegation tokens
> -------------------------------------------------------------------
>
>                 Key: YARN-2247
>                 URL: https://issues.apache.org/jira/browse/YARN-2247
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: apache-yarn-2247.0.patch, apache-yarn-2247.1.patch, apache-yarn-2247.2.patch,
apache-yarn-2247.3.patch, apache-yarn-2247.4.patch
>
>
> The RM webapp should allow users to authenticate using delegation tokens to maintain
parity with RPC.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message