[jira] [Commented] (HDFS-14525) JspHelper ignores hadoop.http.authentication.type

Thu, 30 May 2019 12:12:22 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-14525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16852255#comment-16852255
 ] 

Daryn Sharp commented on HDFS-14525:
------------------------------------

You actually want a secure cluster to accept anonymous users?  Why do you even 
have security enabled?  I believe there was a debate about anon with security 
many years ago and the decision was anon is fundamentally incompatible with 
security.

The proposed change is completely wrong.  If a custom authentication method is 
used, you cannot fall through and allow the client specify who they are.

I'd say this is working as designed.

> JspHelper ignores hadoop.http.authentication.type
> -------------------------------------------------
>
>                 Key: HDFS-14525
>                 URL: https://issues.apache.org/jira/browse/HDFS-14525
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>    Affects Versions: 3.2.0
>            Reporter: Prabhu Joseph
>            Priority: Major
>
> On Secure Cluster With hadoop.http.authentication.type simple and 
> hadoop.http.authentication.anonymous.allowed is true, WebHdfs Rest Api fails 
> when user.name is not set. It runs fine if user.name=ambari-qa is set..
> {code}
> [knox@pjosephdocker-1 ~]$ curl -sS -L -w '%{http_code}' -X GET -d '' -H 
> 'Content-Length: 0' --negotiate -u : 
> 'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS'
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
>  to obtain user group information: java.io.IOException: Security enabled but 
> user not authenticated by filter"}}403[knox@pjosephdocker-1 ~]$ 
> {code}
> JspHelper#getUGI checks UserGroupInformation.isSecurityEnabled() instead of 
> conf.get(hadoop.http.authentication.type).equals("kerberos") to check if Http 
> is Secure causing the issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to