hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4006) YARN ATS Alternate Kerberos HTTP Authentication Changes
Date Sat, 21 May 2016 16:02:12 GMT

    [ https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15295097#comment-15295097
] 

Allen Wittenauer commented on YARN-4006:
----------------------------------------

bq. if we don't really need AltKerberos here then we could set this to just be kerberos.

Two issues:

a) split configurations are a pain in the ass to manage
b) timeline server is expected to be used by end users for querying.  so if your altkerberos
has, say, JWT support for end user applications....

> YARN ATS Alternate Kerberos HTTP Authentication Changes
> -------------------------------------------------------
>
>                 Key: YARN-4006
>                 URL: https://issues.apache.org/jira/browse/YARN-4006
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, timelineserver
>    Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2
>            Reporter: Greg Senia
>            Assignee: Greg Senia
>            Priority: Blocker
>         Attachments: YARN-4006-branch-trunk.patch, YARN-4006-branch2.6.0.patch, sample-ats-alt-auth.patch
>
>
> When attempting to use The Hadoop Alternate Authentication Classes. They do not exactly
work with what was built with YARN-1935.
> I went ahead and made the following changes to support using a Custom AltKerberos DelegationToken
custom class.
> Changes to: TimelineAuthenticationFilterInitializer.class
> {code}
>    String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);
>     LOG.info("AuthType Configured: "+authType);
>     if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
>       filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           PseudoDelegationTokenAuthenticationHandler.class.getName());
>         LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");
>     } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || (UserGroupInformation.isSecurityEnabled()
&& conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE)))
{
>       if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
>         filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           authType);
>         LOG.info("AuthType: "+authType);
>       } else {
>         filterConfig.put(AuthenticationFilter.AUTH_TYPE,
>           KerberosDelegationTokenAuthenticationHandler.class.getName());
>         LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
>       } 
>       // Resolve _HOST into bind address
>       String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
>       String principal =
>           filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
>       if (principal != null) {
>         try {
>           principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
>         } catch (IOException ex) {
>           throw new RuntimeException(
>               "Could not resolve Kerberos principal name: " + ex.toString(), ex);
>         }
>         filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
>             principal);
>       }
>     }
>  {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message