[ https://issues.apache.org/jira/browse/HADOOP-16972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17085316#comment-17085316 ]
Eric Yang commented on HADOOP-16972: ------------------------------------ HDFS uses Auth filter instead of the global AuthenticationFilter because WebHDFS issues delegation token that standard AuthenticationFilter does not have same capability. It would be better to use global authentication filter to reduce security holes. KMS server can either be protected using global authentication filter, or customize like you are suggesting. However, I do not think switching filter initialization solves the root problem, where Kerberos tgt token is reused on two different endpoints when servers are co-located on the same node. I think the unit test is passing for the wrong reason where realm information is not available and not triggering lookup. Could you verify KDC server log to make sure that authentication lookup has in fact happened? > Ignore AuthenticationFilterInitializer for KMSWebServer > ------------------------------------------------------- > > Key: HADOOP-16972 > URL: https://issues.apache.org/jira/browse/HADOOP-16972 > Project: Hadoop Common > Issue Type: Improvement > Components: kms > Affects Versions: 3.3.0 > Reporter: Masatake Iwasaki > Assignee: Masatake Iwasaki > Priority: Major > > KMS does not work if hadoop.http.filter.initializers is set to > AuthenticationFilterInitializer since KMS uses its own authentication filter. > This is problematic when KMS is on the same node with other Hadoop services > and shares core-site.xml with them. The filter initializers configuration > should be tweaked as done for httpfs in HDFS-14845. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org