[
https://issues.apache.org/jira/browse/HADOOP-10671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14360089#comment-14360089
]
Kai Zheng commented on HADOOP-10671:
------------------------------------
Sorry I'm late on this.
Without this change, the following properties may need be configured for web
hdfs, in addition to the similar ones with "hadoop.http" prefix for web UI:
{code}
### The following properties are for AuthenticationFilter ###
dfs.web.authentication.type #auth type
dfs.web.authentication.signature.secret # signature secret string value
dfs.web.authentication.token.validity
dfs.web.authentication.cookie.domain
dfs.web.authentication.cookie.path
#The following properties are for AuthenticationHandlers. It depends on auth
type.
dfs.web.authentication.kerberos.principal
dfs.web.authentication.kerberos.keytab
dfs.web.authentication.kerberos.name.rules
...
{code}
With this change, all the above configuration properties can be avoided if
we're using the same auth filter and handler/type with web UI. We only need the
ones like the following for both web UI and web hdfs.
{code}
### The following properties are for AuthenticationFilter ###
hadoop.http.authentication.type #auth type
hadoop.http.authentication.signature.secret # signature secret string value
hadoop.http.authentication.token.validity
hadoop.http.authentication.cookie.domain
hadoop.http.authentication.cookie.path
#The following properties are for AuthenticationHandlers. It depends on auth
type.
hadoop.http.authentication.kerberos.principal
hadoop.http.authentication.kerberos.keytab
hadoop.http.authentication.kerberos.name.rules
...
{code}
Makes sense ? Thanks for comments.
> Unify and simplify common configurations for authentication filters between
> web console and web hdfs
> ----------------------------------------------------------------------------------------------------
>
> Key: HADOOP-10671
> URL: https://issues.apache.org/jira/browse/HADOOP-10671
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Attachments: HADOOP-10671-v3.patch, hadoop-10671-v2.patch,
> hadoop-10671.patch
>
>
> Currently it's not able to single sign on between hadoop web console and
> webhdfs since they don't share common configurations as required to, such as
> signature secret to sign authenticaton token, and domain cookie etc. This
> improvement would allow sso between the two, and also simplify the
> configuration by removing the duplicate effort for the two parts.
> The sso makes sense because in current web console, it integrates webhdfs and
> we should avoid redundant sign on in different mechanisms. This is necessary
> when a certain authentication mechanism other than SPNEGO is desired across
> web console and webhdfs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
