[jira] [Updated] (HDDS-1901) Fix Ozone HTTP WebConsole Authentication

Mon, 05 Aug 2019 10:39:02 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-1901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiaoyu Yao updated HDDS-1901:
-----------------------------
    Status: Patch Available  (was: Open)

> Fix Ozone HTTP WebConsole Authentication
> ----------------------------------------
>
>                 Key: HDDS-1901
>                 URL: https://issues.apache.org/jira/browse/HDDS-1901
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>    Affects Versions: 0.4.0
>            Reporter: Vivek Ratnavel Subramanian
>            Assignee: Xiaoyu Yao
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> This was found during integration testing where the http authentication is 
> enabled but anonymous can still access the ozone http web console like 
> scm:9876 or om:9874. This can be reproed with the following configurations 
> added to the ozonesecure docker-compose.
> {code}
> CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
> CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
> CORE-SITE.XML_hadoop.http.authentication.type=kerberos
> CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_h...@example.com
> CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
> CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
> {code}
> After debugging into the KerberosAuthenticationFilter, the root cause is the 
> name of the keytab does not follow the AuthenticationFilter tradition. The 
> fix is to changeĀ 
> hdds.scm.http.kerberos.keytab.file to hdds.scm.http.kerberos.keytab and
> hdds.om.http.kerberos.keytab.file to hdds.om.http.kerberos.keytab
> I will also add an integration test for this under ozonesecure 
> docker-compose. 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to