Ryan Sasson created HDFS-9760:
---------------------------------
Summary: WebHDFS AuthFilter cannot be configured with custom
AltKerberos auth handler
Key: HDFS-9760
URL: https://issues.apache.org/jira/browse/HDFS-9760
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Reporter: Ryan Sasson
Assignee: Ryan Sasson
Currently the WebHDFS AuthFilter selects its authentication type based on a
call to UserGroupInformation.isSecurityEnabled() with only two choices,
KerberosAuthentication or PsuedoAuthentication. Thus there is no condition
where the WebHDFS server can be configured with a custom AltKerberos
authentication handler.
Additionally, at the time the WebHDFS AuthFilter is initialized the method
getAuthFilterParams(conf) is called in NameNodeHttpServer which picks and
chooses a certain few configurations with the prefix 'dfs.web.authentication'.
The issue is this method strips away the configuration that could set the
authentication type AND additional configurations that are specific to the
custom auth handler (using the prefix 'dfs.web.authentication.alt-kerberos').
The consequence of this lack of configurability is that a user that makes
authenticated access to the namenode web UI (through a custom authentication
handler) will not be able to access the namenode file browser (because it is
making ajax calls to WebHDFS that has a different authentication type).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
