[
https://issues.apache.org/jira/browse/HDDS-1901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16901419#comment-16901419
]
Hudson commented on HDDS-1901:
------------------------------
FAILURE: Integrated in Jenkins build Hadoop-trunk-Commit #17049 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/17049/])
HDDS-1901. Fix Ozone HTTP WebConsole Authentication. Contributed by (github:
rev a63023f2610438b9a142db3feb14236fe188b42d)
* (edit) hadoop-hdds/docs/content/security/SecureOzone.md
* (edit)
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
* (edit) hadoop-hdds/common/src/main/resources/ozone-default.xml
* (edit) hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
* (edit)
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java
* (edit) hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
> Fix Ozone HTTP WebConsole Authentication
> ----------------------------------------
>
> Key: HDDS-1901
> URL: https://issues.apache.org/jira/browse/HDDS-1901
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Affects Versions: 0.4.0
> Reporter: Vivek Ratnavel Subramanian
> Assignee: Xiaoyu Yao
> Priority: Major
> Labels: pull-request-available
> Fix For: 0.4.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> This was found during integration testing where the http authentication is
> enabled but anonymous can still access the ozone http web console like
> scm:9876 or om:9874. This can be reproed with the following configurations
> added to the ozonesecure docker-compose.
> {code}
> CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
> CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
> CORE-SITE.XML_hadoop.http.authentication.type=kerberos
> CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/[email protected]
> CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
> CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
> {code}
> After debugging into the KerberosAuthenticationFilter, the root cause is the
> name of the keytab does not follow the AuthenticationFilter tradition. The
> fix is to changeĀ
> hdds.scm.http.kerberos.keytab.file to hdds.scm.http.kerberos.keytab and
> hdds.om.http.kerberos.keytab.file to hdds.om.http.kerberos.keytab
> I will also add an integration test for this under ozonesecure
> docker-compose.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
