hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jian He (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-4006) YARN ATS Alternate Kerberos HTTP Authentication Changes
Date Sat, 01 Aug 2015 01:05:05 GMT

     [ https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jian He updated YARN-4006:
--------------------------
    Description: 
When attempting to use The Hadoop Alternate Authentication Classes. They do not exactly work
with what was built with https://issues.apache.org/jira/browse/YARN-1935.

I went ahead and made the following changes to support using a Custom AltKerberos DelegationToken
custom class.

Changes to: TimelineAuthenticationFilterInitializer.class
{code}
   String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);


    LOG.info("AuthType Configured: "+authType);
    if (authType.equals(PseudoAuthenticationHandler.TYPE)) {

      filterConfig.put(AuthenticationFilter.AUTH_TYPE,
          PseudoDelegationTokenAuthenticationHandler.class.getName());
        LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");

    } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || (UserGroupInformation.isSecurityEnabled()
&& conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE)))
{

      if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
        filterConfig.put(AuthenticationFilter.AUTH_TYPE,
          authType);
        LOG.info("AuthType: "+authType);
      } else {
        filterConfig.put(AuthenticationFilter.AUTH_TYPE,
          KerberosDelegationTokenAuthenticationHandler.class.getName());
        LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
      } 


      // Resolve _HOST into bind address
      String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
      String principal =
          filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
      if (principal != null) {
        try {
          principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
        } catch (IOException ex) {
          throw new RuntimeException(
              "Could not resolve Kerberos principal name: " + ex.toString(), ex);
        }
        filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
            principal);
      }
    }
 {code}

  was:
When attempting to use The Hadoop Alternate Authentication Classes. They do not exactly work
with what was built with https://issues.apache.org/jira/browse/YARN-1935.

I went ahead and made the following changes to support using a Custom AltKerberos DelegationToken
custom class.

Changes to: TimelineAuthenticationFilterInitializer.class
   String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);


    LOG.info("AuthType Configured: "+authType);
    if (authType.equals(PseudoAuthenticationHandler.TYPE)) {

      filterConfig.put(AuthenticationFilter.AUTH_TYPE,
          PseudoDelegationTokenAuthenticationHandler.class.getName());
        LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");

    } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || (UserGroupInformation.isSecurityEnabled()
&& conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE)))
{

      if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
        filterConfig.put(AuthenticationFilter.AUTH_TYPE,
          authType);
        LOG.info("AuthType: "+authType);
      } else {
        filterConfig.put(AuthenticationFilter.AUTH_TYPE,
          KerberosDelegationTokenAuthenticationHandler.class.getName());
        LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
      } 


      // Resolve _HOST into bind address
      String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
      String principal =
          filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
      if (principal != null) {
        try {
          principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
        } catch (IOException ex) {
          throw new RuntimeException(
              "Could not resolve Kerberos principal name: " + ex.toString(), ex);
        }
        filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
            principal);
      }
    }
 


> YARN ATS Alternate Kerberos HTTP Authentication Changes
> -------------------------------------------------------
>
>                 Key: YARN-4006
>                 URL: https://issues.apache.org/jira/browse/YARN-4006
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, timelineserver
>    Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2
>            Reporter: Greg Senia
>            Assignee: Greg Senia
>             Fix For: 2.8.0
>
>         Attachments: YARN-4006-branch-trunk.patch, YARN-4006-branch2.6.0.patch
>
>
> When attempting to use The Hadoop Alternate Authentication Classes. They do not exactly
work with what was built with https://issues.apache.org/jira/browse/YARN-1935.
> I went ahead and made the following changes to support using a Custom AltKerberos DelegationToken
custom class.
> Changes to: TimelineAuthenticationFilterInitializer.class
> {code}
>    String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);
>     LOG.info("AuthType Configured: "+authType);
>     if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
>       filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           PseudoDelegationTokenAuthenticationHandler.class.getName());
>         LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");
>     } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || (UserGroupInformation.isSecurityEnabled()
&& conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE)))
{
>       if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
>         filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           authType);
>         LOG.info("AuthType: "+authType);
>       } else {
>         filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           KerberosDelegationTokenAuthenticationHandler.class.getName());
>         LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
>       } 
>       // Resolve _HOST into bind address
>       String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
>       String principal =
>           filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
>       if (principal != null) {
>         try {
>           principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
>         } catch (IOException ex) {
>           throw new RuntimeException(
>               "Could not resolve Kerberos principal name: " + ex.toString(), ex);
>         }
>         filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
>             principal);
>       }
>     }
>  {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message