hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4006) YARN ATS Alternate Kerberos HTTP Authentication Changes
Date Fri, 20 May 2016 00:28:13 GMT

    [ https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292429#comment-15292429
] 

Larry McCay commented on YARN-4006:
-----------------------------------

Hi [~aw] - I am familiar with AltKerberosAuthenticationHandler if that is what you mean.
This patch looks to be perfectly sane for enabling custom authentication handlers - AltKerberos
obviously interrogates the UserAgent and muxes between kerberos and the customer handler.

There isn't anything that is specific to AltKeberos about this patch but such extensions should
work fine.

What is the question on this patch - it seems rather simple?

> YARN ATS Alternate Kerberos HTTP Authentication Changes
> -------------------------------------------------------
>
>                 Key: YARN-4006
>                 URL: https://issues.apache.org/jira/browse/YARN-4006
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, timelineserver
>    Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2
>            Reporter: Greg Senia
>            Assignee: Greg Senia
>            Priority: Blocker
>         Attachments: YARN-4006-branch-trunk.patch, YARN-4006-branch2.6.0.patch, sample-ats-alt-auth.patch
>
>
> When attempting to use The Hadoop Alternate Authentication Classes. They do not exactly
work with what was built with YARN-1935.
> I went ahead and made the following changes to support using a Custom AltKerberos DelegationToken
custom class.
> Changes to: TimelineAuthenticationFilterInitializer.class
> {code}
>    String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);
>     LOG.info("AuthType Configured: "+authType);
>     if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
>       filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           PseudoDelegationTokenAuthenticationHandler.class.getName());
>         LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");
>     } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || (UserGroupInformation.isSecurityEnabled()
&& conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE)))
{
>       if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
>         filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           authType);
>         LOG.info("AuthType: "+authType);
>       } else {
>         filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           KerberosDelegationTokenAuthenticationHandler.class.getName());
>         LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
>       } 
>       // Resolve _HOST into bind address
>       String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
>       String principal =
>           filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
>       if (principal != null) {
>         try {
>           principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
>         } catch (IOException ex) {
>           throw new RuntimeException(
>               "Could not resolve Kerberos principal name: " + ex.toString(), ex);
>         }
>         filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
>             principal);
>       }
>     }
>  {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message