hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-2247) Allow RM web services users to authenticate using delegation tokens
Date Wed, 23 Jul 2014 14:46:40 GMT

     [ https://issues.apache.org/jira/browse/YARN-2247?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Varun Vasudev updated YARN-2247:

    Attachment: apache-yarn-2247.4.patch

Varun Vasudev, thanks for your patience on my comments. The new patch looks almost good to
me. Just some nits:

1. Should not be necessary. Always load TimelineAuthenticationFilter. With "simple" type,
still the pseudo handler is to used.
+    if (authType.equals("simple") && !UserGroupInformation.isSecurityEnabled()) {
+      container.addFilter("authentication",
+        AuthenticationFilter.class.getName(), filterConfig);
+      return;
+    }
Good point. Fixed.

2. Check not null first for testMiniKDC and rm? Same for TestRMWebappAuthentication
+    testMiniKDC.stop();
+    rm.stop();

3. I didn't find the logic to forbid it. Anyway, is it good to mention it in the document
as well?
+  // Test to make sure that we can't do delegation token
+  // functions using just delegation token auth
The test is in RMWebServices.
callerUGI = createKerberosUserGroupInformation(hsr);
which in turn has this check 
    String authType = hsr.getAuthType();
    if (!KerberosAuthenticationHandler.TYPE.equals(authType)) {
      String msg =
          "Delegation token operations can only be carried out on a "
              + "Kerberos authenticated channel";
      throw new YarnException(msg);

I've documented it under the delegation token rest API section:
 All delegation token requests must be carried out on a Kerberos authenticated connection(using

> Allow RM web services users to authenticate using delegation tokens
> -------------------------------------------------------------------
>                 Key: YARN-2247
>                 URL: https://issues.apache.org/jira/browse/YARN-2247
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: apache-yarn-2247.0.patch, apache-yarn-2247.1.patch, apache-yarn-2247.2.patch,
apache-yarn-2247.3.patch, apache-yarn-2247.4.patch
> The RM webapp should allow users to authenticate using delegation tokens to maintain
parity with RPC.

This message was sent by Atlassian JIRA

View raw message