[
https://issues.apache.org/jira/browse/HDFS-14525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16852854#comment-16852854
]
Prabhu Joseph commented on HDFS-14525:
--------------------------------------
[~eyang] Thanks for the inputs.
1. As per my understanding, hadoop.security.authentication is specific to RPC
Authentication whereas hadoop.http.authentication.type is specific to HTTP
Authentication. We have simple, kerberos authentication for RPC whereas HTTP
Authentication can be simple, kerberos, ldap (LdapAuthenticationHandler),
WebSSO (JWTRedirectAuthenticationHandler) which is used for Knox and also can
be custom. Customers uses ldap or websso for HTTP and kerberos for RPC. I think
we need a separate config for HTTP to have different authentication behavior
from RPC.
And as per the testing, fixing below two places should be fine.
1. HttpServer2 does Kerberos initSpnego when hadoop.security.authentication is
kerberos which can cause http requests (Pseudo) failing with "Authentication
Required". Will fix this in Hadoop-16314.
2. JspHelper fails Anonymous user requests even though the http request is
successfully authenticated by PseudoAuthenticationHandler.
Please let me know how to proceed further. Thanks.
> JspHelper ignores hadoop.http.authentication.type
> -------------------------------------------------
>
> Key: HDFS-14525
> URL: https://issues.apache.org/jira/browse/HDFS-14525
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Priority: Major
>
> On Secure Cluster With hadoop.http.authentication.type simple and
> hadoop.http.authentication.anonymous.allowed is true, WebHdfs Rest Api fails
> when user.name is not set. It runs fine if user.name=ambari-qa is set..
> {code}
> [knox@pjosephdocker-1 ~]$ curl -sS -L -w '%{http_code}' -X GET -d '' -H
> 'Content-Length: 0' --negotiate -u :
> 'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS'
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Security enabled but
> user not authenticated by filter"}}403[knox@pjosephdocker-1 ~]$
> {code}
> JspHelper#getUGI checks UserGroupInformation.isSecurityEnabled() instead of
> conf.get(hadoop.http.authentication.type).equals("kerberos") to check if Http
> is Secure causing the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
