[
https://issues.apache.org/jira/browse/HDFS-9760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ryan Sasson updated HDFS-9760:
------------------------------
Status: Patch Available (was: Open)
> WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler
> ----------------------------------------------------------------------------
>
> Key: HDFS-9760
> URL: https://issues.apache.org/jira/browse/HDFS-9760
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Reporter: Ryan Sasson
> Assignee: Ryan Sasson
>
> Currently the WebHDFS AuthFilter selects its authentication type based on a
> call to UserGroupInformation.isSecurityEnabled() with only two choices,
> KerberosAuthentication or PsuedoAuthentication. Thus there is no condition
> where the WebHDFS server can be configured with a custom AltKerberos
> authentication handler.
> Additionally, at the time the WebHDFS AuthFilter is initialized the method
> getAuthFilterParams(conf) is called in NameNodeHttpServer which picks and
> chooses a certain few configurations with the prefix
> 'dfs.web.authentication'. The issue is this method strips away the
> configuration that could set the authentication type AND additional
> configurations that are specific to the custom auth handler (using the prefix
> 'dfs.web.authentication.alt-kerberos').
> The consequence of this lack of configurability is that a user that makes
> authenticated access to the namenode web UI (through a custom authentication
> handler) will not be able to access the namenode file browser (because it is
> making ajax calls to WebHDFS that has a different authentication type).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
