[
https://issues.apache.org/jira/browse/HDFS-14525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16853220#comment-16853220
]
Eric Yang commented on HDFS-14525:
----------------------------------
[~Prabhu Joseph] {quote}JspHelper fails Anonymous user requests even though the
http request is successfully authenticated by
PseudoAuthenticationHandler.{quote}
Other type of authentication handler is a valid point. I do not know if any
Hadoop down stream client that actually implements Kerberos RPC + LDAP HTTP had
any success, but the possibility of trying is real. It would be tough to ask
them to simplify the security model, if they already trying this combo.
However, given how UGI works, the Login user must have a kerberos ticket
associated with the user in Kerberos environment. PseudoAuthenticationHandler
will generate a anonymous token without kerberos ticket, and the token can not
be verified with KDC. By allowing PseudoAuthenticationHandler anonymous token
to pass through, can create a loophole in Hadoop security. This is not allowed
to prevent anonymous token to roam freely in Hadoop cluster.
This is the reason that it looks correct to change code to use
conf.get(hadoop.http.authentication.type)!=SIMPLE for web protocol, but it is
not exactly safe, given how UGI works.
> JspHelper ignores hadoop.http.authentication.type
> -------------------------------------------------
>
> Key: HDFS-14525
> URL: https://issues.apache.org/jira/browse/HDFS-14525
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Priority: Major
>
> On Secure Cluster With hadoop.http.authentication.type simple and
> hadoop.http.authentication.anonymous.allowed is true, WebHdfs Rest Api fails
> when user.name is not set. It runs fine if user.name=ambari-qa is set..
> {code}
> [knox@pjosephdocker-1 ~]$ curl -sS -L -w '%{http_code}' -X GET -d '' -H
> 'Content-Length: 0' --negotiate -u :
> 'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS'
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Security enabled but
> user not authenticated by filter"}}403[knox@pjosephdocker-1 ~]$
> {code}
> JspHelper#getUGI checks UserGroupInformation.isSecurityEnabled() instead of
> conf.get(hadoop.http.authentication.type).equals("kerberos") to check if Http
> is Secure causing the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
