[jira] [Commented] (HADOOP-10671) Single sign on between web console and webhdfs

Tue, 03 Mar 2015 14:08:35 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14345843#comment-14345843
 ] 

Kai Zheng commented on HADOOP-10671:
------------------------------------

Hi [~wheat9],

Thanks for your comments. I may need some clarification here. The 
{{AuthFilter}} used by web hdfs is inherited from {{AuthenticationFilter}} used 
by web console, and they both support a set of configurable parameters like 
signature secret, cookie domain and etc. For users to actually configure such 
parameters, they need to prepare for two sets of configuration properties, 
{{hadoop.http.authentication...}}  and 
{{dfs.web.authentication.cookie.domain...}}. So this patch allows only 
{{hadoop.http.authentication...}} set to be ready for both web console and web 
hdfs by simply property transforming for web hdfs side, which would not risk 
and cause incompatible concern. As a good effect of this way, it's possible to 
enforce the same sign on mechanism with exactly the same configurations for 
both sides, and the effect is not limited to delegation token mechanism. Please 
note I'm not solving delegation token specific problem here. I thought it's 
possible to have more mechanisms as broad web applications do in hadoop web 
interfaces in future, I'm trying to make the configuration work simplified and 
unified in a safer way. Hope this clarifying helps. Thanks.

> Single sign on between web console and webhdfs
> ----------------------------------------------
>
>                 Key: HADOOP-10671
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10671
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>         Attachments: hadoop-10671-v2.patch, hadoop-10671.patch
>
>
> Currently it's not able to single sign on between hadoop web console and 
> webhdfs since they don't share common configurations as required to, such as 
> signature secret to sign authenticaton token, and domain cookie etc. This 
> improvement would allow sso between the two, and also simplify the 
> configuration by removing the duplicate effort for the two parts.
> The sso makes sense because in current web console, it integrates webhdfs and 
> we should avoid redundant sign on in different mechanisms. This is necessary 
> when a certain authentication mechanism other than SPNEGO is desired across 
> web console and webhdfs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to