[
https://issues.apache.org/jira/browse/HADOOP-9679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13698496#comment-13698496
]
fang fang chen commented on HADOOP-9679:
----------------------------------------
Hi Alejando,
Thanks for you reply.
You are right, I am using this outside of Hadoop. From user side, it will be
great if he can use hadoop-auth classes to add kerberos support to any web
servlet. Then I tried this, and it works besides the rules issue.
And I agree with you that it will work if we set kerberos.name.rules in my
AuthFilter(hard code). But from user side, I think it will be better if we can
configure kerberos.name.rules at a configuration file(if set it in servers
configuration file, it does not work directly). And use a default value if user
did not set this property in his authFilter, just like other kerberos
properties set in hdfs-site.xml/core-site.xml.
The fix is for using hadoop-auth outside Hadoop, then it will not invoke GUI.
Maybe this is not the original usage of hadoop-auth. But I think hadoop has
provided excellent kerberos authentications API which is very convenient for
users to add kerberos support to any web service. And we can expand the
hadoop-auth to any web servlet no matter this servlet is hadoop client or not.
Just like what commons-logging did. Java provided logging APIs, but we choose
to use commons-logging because it is more convenient and effective. What do you
think?
Thanks~
Post Alejandro's mail reply here:
Hi Lulynn,
I've commented in the JIRA, now that I see your email that gives me a bit
more of context on what you are trying to do.
If I understand correctly, you are trying to use this outside of Hadoop. If
that is the case you should set the <PREFIX>.kerberos.name.rules=DEFAULT
(or a custom name.rules if you have one) in your hadoop-auth
AuthenticationFilter configuration.
This is required because you are not initializing UGI before initializing
the filter.
Thanks.
> KerberosName.rules are not initialized during adding kerberos support to a
> web servlet using hadoop authentications
> -------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-9679
> URL: https://issues.apache.org/jira/browse/HADOOP-9679
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.1.1, 2.0.4-alpha
> Reporter: fang fang chen
> Attachments: HADOOP-9679.patch
>
>
> I am using hadoop-1.1.1 to add kerberos authentication to a web service. But
> found rules are not initialized, that makes following error happened:
> java.lang.NullPointerException
> at
> org.apache.hadoop.security.KerberosName.getShortName(KerberosName.java:384)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:328)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:302)
> at
> java.security.AccessController.doPrivileged(AccessController.java:310)
> at javax.security.auth.Subject.doAs(Subject.java:573)
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:302)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:340)
> Seems in hadoop-2.0.4-alpha branch, this issue still is still there.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
