[jira] [Commented] (HADOOP-10596) HttpServer2 should apply the authentication filter to some urls instead of null

Thu, 15 May 2014 18:16:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10596?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13996663#comment-13996663
 ] 

Zhijie Shen commented on HADOOP-10596:
--------------------------------------

bq. Introducing the secret file is a much larger change. I think a better idea 
is to clean it up.

If you strongly object adding more configs in the scope of HttpServer2, I can 
definitely move it out and this is a proof-of-concept patch, though I'm not 
sure it's a good idea to have some configs here, others elsewhere.

bq. I think there is a configuration to toggle whether NN web UI can be 
accessed without spnego in secure mode.

Let me introduce more background about SPNEGO:

1.  We can configure to use authentication or not.
2. When authentication is enabled, we can choose whether to use SPNEGO for web 
access.
3. When SPNEGO is enabled for web, we need to define what URLs we want to 
protect.

The configuration you mentioned sounds like the 2nd step.

The problem I found is with the 3rd step. All YARN daemons use initSpnego to 
initiate the authentication filter to protect web resources (not sure HDFS is 
using the same method or not as there's an alternative way). The problem is:

1. The authentication filter is actually protect nothing since no urls has been 
applied to this filter.
2. initSpnego doesn't provide enough flexibility of configuring secret file and 
the customized filter class programmatically. YARN daemons start the web app 
inside it instead of putting it into another container, such as Tomcat (It 
seems that web hdfs is doing this and can use web.xml to configure the filter) 

> HttpServer2 should apply the authentication filter to some urls instead of 
> null
> -------------------------------------------------------------------------------
>
>                 Key: HADOOP-10596
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10596
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>         Attachments: HADOOP-10596.1.patch
>
>
> HttpServer2 should apply the authentication filter to some urls instead of 
> null. In addition, it should be more flexible for users to configure SPNEGO.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to