[
https://issues.apache.org/jira/browse/YARN-7862?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16354276#comment-16354276
]
Eric Yang commented on YARN-7862:
---------------------------------
[~sunilg] AuthenticationFilter will issue delegation token if user.name
parameter exists, and hadoop.auth cookie doesn't exist from web request, and
service user is allowed to proxy for end user. The best practice is to ensure
that username/password are verified by knox or third party authenticator and
issue the token. AuthenticationFilter are configured to trust source
hostname/IP from Knox gateway only for simple security to work.
> YARN native service REST endpoint needs user.name as query param
> ----------------------------------------------------------------
>
> Key: YARN-7862
> URL: https://issues.apache.org/jira/browse/YARN-7862
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn-native-services
> Reporter: Sunil G
> Priority: Major
>
> While accessing below yarn rest end point with POST method type,
> {code:java}
> http://rm_ip:8088/app/v1/services{code}
> below error is coming in non-secure cluster.
> {noformat}
> {
> "diagnostics": "Null user"
> }{noformat}
> When *user.name* is provided as query param with *dr.who* we can see that
> yarn started service with proxy user, not dr.who.
> In non-secure cluster, native service should ideally take the user from
> remote ugi.
> in secure cluster, its better to derive user from kerberized shell.
>
> cc/ [~jianhe] [~eyang]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
