[jira] [Commented] (HADOOP-18666) A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server

Wed, 15 Mar 2023 01:35:05 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700550#comment-17700550
 ] 

ASF GitHub Bot commented on HADOOP-18666:
-----------------------------------------

eubnara commented on PR #5480:
URL: https://github.com/apache/hadoop/pull/5480#issuecomment-1469570800

   Without this patch, whitelist are ignored.
   
![image](https://user-images.githubusercontent.com/12639125/225251063-c900f730-5b7e-4de7-b75b-9a925e4700f5.png)
   
   Even though `hadoop.http.filter.initializers` are set with 
`org.apache.hadoop.security.AuthenticationFilterInitializer,org.apache.hadoop.security.HttpCrossOriginFilterInitializer`,
 `HTTPServer#initSpnego` call makes overwrite `AuthenticationFilter` (because 
it has the same name `authentication`) filter and ignores 
`hadoop.http.authentication.kerberos.endpoint.whitelist`.
   
   On ResourceManager with configurations:
   
   ```
   # core-site.xml
   
hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer,org.apache.hadoop.security.HttpCrossOriginFilterInitializer
   hadoop.http.authentication.kerberos.endpoint.whitelist=/isActive,/jmx,/prom
   
   ...
   
   # yarn-site.xml
   yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=false
   ```
   
   
   One curios thing is that if `AuthenticationFilterInitializer` is set in 
`hadoop.http.filter.initializers` in core-site.xml, `AuthenticationFilter` 
filter added twice unnecessarily.




> A whitelist of endpoints to skip Kerberos authentication doesn't work for 
> ResourceManager and Job History Server
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-18666
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18666
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: YUBI LEE
>            Assignee: YUBI LEE
>            Priority: Major
>              Labels: pull-request-available
>
> Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos 
> authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}.
> However, I found that ResourceManager and Job History Server doesn't repect 
> {{hadoop.http.authentication.kerberos.endpoint.whitelist}}.
> To workaround this issue for ResourceManager, set 
> {{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in 
> yarn-site.xml.
> However, there is no workaround for Job History Server.
> This bug is caused by {{HttpServer2#initSpnego}} call without proper 
> configurations which starts with "{{hadoop.http.authentication.}}".
> I will make a PR soon.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to