[
https://issues.apache.org/jira/browse/HDFS-14525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16852447#comment-16852447
]
Eric Yang commented on HDFS-14525:
----------------------------------
[~daryn], [~Prabhu Joseph] This boils down to if there is any valid use case to
keep hadoop.http.authentication.type independent ofÂ
hadoop.security.authentication?
In various Hadoop code, there are inter-exchange of using
UserGroupInformation.isSecurityEnabled() for web protocol, for example in
[DFSUtil.java|https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java#L1614].
This mistake indicates that developers have the interests in heart to
standardize the use of hadoop.security.authentication setting and keep
anonymous user out.
Maybe it is time to revisit if there is valid use case to set
hadoop.http.authentication.type differently from
hadoop.security.authentication? If there is no valid use case, then we
probably want to deprecate hadoop.http.authentication.type to avoid the
circular discussions. All web app can depend on
UserGroupInformation.isSecurityEnabled(). Hence, this bug can be invalided.
My vote is to deprecate hadoop.http.authentication.type setting to avoid code
incorrectness and confusions.
> JspHelper ignores hadoop.http.authentication.type
> -------------------------------------------------
>
> Key: HDFS-14525
> URL: https://issues.apache.org/jira/browse/HDFS-14525
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Priority: Major
>
> On Secure Cluster With hadoop.http.authentication.type simple and
> hadoop.http.authentication.anonymous.allowed is true, WebHdfs Rest Api fails
> when user.name is not set. It runs fine if user.name=ambari-qa is set..
> {code}
> [knox@pjosephdocker-1 ~]$ curl -sS -L -w '%{http_code}' -X GET -d '' -H
> 'Content-Length: 0' --negotiate -u :
> 'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS'
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Security enabled but
> user not authenticated by filter"}}403[knox@pjosephdocker-1 ~]$
> {code}
> JspHelper#getUGI checks UserGroupInformation.isSecurityEnabled() instead of
> conf.get(hadoop.http.authentication.type).equals("kerberos") to check if Http
> is Secure causing the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
