[jira] [Commented] (HADOOP-18666) A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-18666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17702728#comment-17702728
 ] 

ASF GitHub Bot commented on HADOOP-18666:
-----------------------------------------

tasanuma commented on code in PR #5480:
URL: https://github.com/apache/hadoop/pull/5480#discussion_r1142162026


##########
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServerWithSpnego.java:
##########
@@ -191,6 +193,48 @@ public void testAuthenticationWithProxyUser() throws 
Exception {
     }
   }
 
+  @Test
+  public void testAuthenticationToAllowList() throws Exception {
+    Configuration spnegoConf = getSpnegoConf(new Configuration());
+    String[] allowList = new String[] {"/jmx", "/prom"};
+    String[] denyList = new String[] {"/conf", "/stacks", "/logLevel"};
+    spnegoConf.set(PREFIX + "kerberos.endpoint.whitelist", String.join(",", 
allowList));
+    spnegoConf.set("hadoop.prometheus.endpoint.enabled", "true");
+    spnegoConf.set("hadoop.http.filter.initializers",
+        "org.apache.hadoop.security.AuthenticationFilterInitializer");

Review Comment:
   @eubnara Sorry, I have one more request. Could you use constants here?
   ```suggestion
       spnegoConf.set(CommonConfigurationKeysPublic.HADOOP_PROMETHEUS_ENABLED, 
"true");
       spnegoConf.set(FILTER_INITIALIZER_PROPERTY, 
AuthenticationFilterInitializer.class.getName());
   ```





> A whitelist of endpoints to skip Kerberos authentication doesn't work for 
> ResourceManager and Job History Server
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-18666
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18666
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: YUBI LEE
>            Assignee: YUBI LEE
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HADOOP-18666-branch-3.3.4.patch
>
>
> Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos 
> authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}.
> However, I found that ResourceManager and Job History Server doesn't repect 
> {{hadoop.http.authentication.kerberos.endpoint.whitelist}}.
> To workaround this issue for ResourceManager, set 
> {{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in 
> yarn-site.xml.
> However, there is no workaround for Job History Server.
> This bug is caused by {{HttpServer2#initSpnego}} call without proper 
> configurations which starts with "{{hadoop.http.authentication.}}".
> I will make a PR soon.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org