eubnara opened a new pull request, #5480:
URL: https://github.com/apache/hadoop/pull/5480
<!--
Thanks for sending a pull request!
1. If this is your first time, please read our contributor guidelines:
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
2. Make sure your PR title starts with JIRA issue id, e.g.,
'HADOOP-17799. Your PR title ...'.
-->
### Description of PR
Thanks to
[HADOOP-16527](https://issues.apache.org/jira/browse/HADOOP-16527), we can add
a whitelist of endpoints to skip Kerberos authentication such as `/isActive`,
`/jmx`, `/prom`.
However, I found that ResourceManager and Job History Server doesn't repect
`hadoop.http.authentication.kerberos.endpoint.whitelist`.
To workaround this issue for ResourceManager, set
`yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true` in
yarn-site.xml.
However, there is no workaround for Job History Server.
This bug is caused by HttpServer2#initSpnego call without proper
configurations which starts with "hadoop.http.authentication.".
### How was this patch tested?
Manually tested in internal cluster. It works with ResourceManager (without
`yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true` set),
Job History Server.
### For code changes:
- [x] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
