[ https://issues.apache.org/jira/browse/HDFS-14525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16852854#comment-16852854 ]
Prabhu Joseph commented on HDFS-14525: -------------------------------------- [~eyang] Thanks for the inputs. 1. As per my understanding, hadoop.security.authentication is specific to RPC Authentication whereas hadoop.http.authentication.type is specific to HTTP Authentication. We have simple, kerberos authentication for RPC whereas HTTP Authentication can be simple, kerberos, ldap (LdapAuthenticationHandler), WebSSO (JWTRedirectAuthenticationHandler) which is used for Knox and also can be custom. Customers uses ldap or websso for HTTP and kerberos for RPC. I think we need a separate config for HTTP to have different authentication behavior from RPC. And as per the testing, fixing below two places should be fine. 1. HttpServer2 does Kerberos initSpnego when hadoop.security.authentication is kerberos which can cause http requests (Pseudo) failing with "Authentication Required". Will fix this in Hadoop-16314. 2. JspHelper fails Anonymous user requests even though the http request is successfully authenticated by PseudoAuthenticationHandler. Please let me know how to proceed further. Thanks. > JspHelper ignores hadoop.http.authentication.type > ------------------------------------------------- > > Key: HDFS-14525 > URL: https://issues.apache.org/jira/browse/HDFS-14525 > Project: Hadoop HDFS > Issue Type: Bug > Components: webhdfs > Affects Versions: 3.2.0 > Reporter: Prabhu Joseph > Priority: Major > > On Secure Cluster With hadoop.http.authentication.type simple and > hadoop.http.authentication.anonymous.allowed is true, WebHdfs Rest Api fails > when user.name is not set. It runs fine if user.name=ambari-qa is set.. > {code} > [knox@pjosephdocker-1 ~]$ curl -sS -L -w '%{http_code}' -X GET -d '' -H > 'Content-Length: 0' --negotiate -u : > 'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS' > {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed > to obtain user group information: java.io.IOException: Security enabled but > user not authenticated by filter"}}403[knox@pjosephdocker-1 ~]$ > {code} > JspHelper#getUGI checks UserGroupInformation.isSecurityEnabled() instead of > conf.get(hadoop.http.authentication.type).equals("kerberos") to check if Http > is Secure causing the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org