[jira] [Updated] (HDDS-1901) Fix Ozone HTTP WebConsole Authentication

Tue, 06 Aug 2019 12:31:11 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-1901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiaoyu Yao updated HDDS-1901:
-----------------------------
       Resolution: Fixed
    Fix Version/s: 0.4.1
           Status: Resolved  (was: Patch Available)

> Fix Ozone HTTP WebConsole Authentication
> ----------------------------------------
>
>                 Key: HDDS-1901
>                 URL: https://issues.apache.org/jira/browse/HDDS-1901
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>    Affects Versions: 0.4.0
>            Reporter: Vivek Ratnavel Subramanian
>            Assignee: Xiaoyu Yao
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 0.4.1
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> This was found during integration testing where the http authentication is 
> enabled but anonymous can still access the ozone http web console like 
> scm:9876 or om:9874. This can be reproed with the following configurations 
> added to the ozonesecure docker-compose.
> {code}
> CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
> CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
> CORE-SITE.XML_hadoop.http.authentication.type=kerberos
> CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/[email protected]
> CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
> CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
> {code}
> After debugging into the KerberosAuthenticationFilter, the root cause is the 
> name of the keytab does not follow the AuthenticationFilter tradition. The 
> fix is to changeĀ 
> hdds.scm.http.kerberos.keytab.file to hdds.scm.http.kerberos.keytab and
> hdds.om.http.kerberos.keytab.file to hdds.om.http.kerberos.keytab
> I will also add an integration test for this under ozonesecure 
> docker-compose. 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to