[jira] [Commented] (HDFS-9760) WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler

Tue, 09 Feb 2016 14:41:49 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-9760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139896#comment-15139896
 ] 

Hudson commented on HDFS-9760:
------------------------------

FAILURE: Integrated in Hadoop-trunk-Commit #9269 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/9269/])
HDFS-9760. WebHDFS AuthFilter cannot be configured with custom (aw: rev 
401ae4ecdb64e1ae2730976f96f7949831305c07)
* 
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/web/TestAuthFilter.java
* 
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/web/AuthFilter.java
* 
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/NameNodeHttpServer.java
* hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt


> WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler
> ----------------------------------------------------------------------------
>
>                 Key: HDFS-9760
>                 URL: https://issues.apache.org/jira/browse/HDFS-9760
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>            Reporter: Ryan Sasson
>            Assignee: Ryan Sasson
>             Fix For: 2.8.0
>
>         Attachments: HDFS-9760.patch
>
>
> Currently the WebHDFS AuthFilter selects its authentication type based on a 
> call to UserGroupInformation.isSecurityEnabled() with only two choices, 
> KerberosAuthentication or PsuedoAuthentication. Thus there is no condition 
> where the WebHDFS server can be configured with a custom AltKerberos 
> authentication handler.
> Additionally, at the time the WebHDFS AuthFilter is initialized the method 
> getAuthFilterParams(conf) is called in NameNodeHttpServer which picks and 
> chooses a certain few configurations with the prefix 
> 'dfs.web.authentication'. The issue is this method strips away the 
> configuration that could set the authentication type AND additional 
> configurations that are specific to the custom auth handler (using the prefix 
> 'dfs.web.authentication.alt-kerberos').
> The consequence of this lack of configurability is that a user that makes 
> authenticated access to the namenode web UI (through a custom authentication 
> handler) will not be able to access the namenode file browser (because it is 
> making ajax calls to WebHDFS that has a different authentication type). 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to