[
https://issues.apache.org/jira/browse/HADOOP-16972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17085316#comment-17085316
]
Eric Yang commented on HADOOP-16972:
------------------------------------
HDFS uses Auth filter instead of the global AuthenticationFilter because
WebHDFS issues delegation token that standard AuthenticationFilter does not
have same capability. It would be better to use global authentication filter
to reduce security holes. KMS server can either be protected using global
authentication filter, or customize like you are suggesting. However, I do not
think switching filter initialization solves the root problem, where Kerberos
tgt token is reused on two different endpoints when servers are co-located on
the same node. I think the unit test is passing for the wrong reason where
realm information is not available and not triggering lookup. Could you verify
KDC server log to make sure that authentication lookup has in fact happened?
> Ignore AuthenticationFilterInitializer for KMSWebServer
> -------------------------------------------------------
>
> Key: HADOOP-16972
> URL: https://issues.apache.org/jira/browse/HADOOP-16972
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
> Affects Versions: 3.3.0
> Reporter: Masatake Iwasaki
> Assignee: Masatake Iwasaki
> Priority: Major
>
> KMS does not work if hadoop.http.filter.initializers is set to
> AuthenticationFilterInitializer since KMS uses its own authentication filter.
> This is problematic when KMS is on the same node with other Hadoop services
> and shares core-site.xml with them. The filter initializers configuration
> should be tweaked as done for httpfs in HDFS-14845.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
