[
https://issues.apache.org/jira/browse/YARN-9334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16779931#comment-16779931
]
Hudson commented on YARN-9334:
------------------------------
SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #16087 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/16087/])
YARN-9334. Allow YARN Service client to send SPNEGO challenge header (eyang:
rev 04b228e43b728d574d7ad97330aa4218cb7f8bf8)
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/client/ApiServiceClient.java
> YARN Service Client does not work with SPNEGO when knox is configured
> ---------------------------------------------------------------------
>
> Key: YARN-9334
> URL: https://issues.apache.org/jira/browse/YARN-9334
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn-native-services
> Affects Versions: 3.1.0, 3.2.0
> Reporter: Tarun Parimi
> Assignee: Billie Rinaldi
> Priority: Major
> Fix For: 3.3.0
>
> Attachments: YARN-9334.01.patch
>
>
> When knox is configured, the configuration hadoop.http.authentication.type is
> set to
> org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
> instead of kerberos.
> We have the following check in ApiServiceClient#getApiClient for kerberos.
> {code:java}
> if (conf.get("hadoop.http.authentication.type").equals("kerberos")) {
> try {
> URI url = new URI(requestPath);
> String challenge = YarnClientUtils.generateToken(url.getHost());
> builder.header(HttpHeaders.AUTHORIZATION, "Negotiate " + challenge);
> } catch (Exception e) {
> throw new IOException(e);
> }
> }
> {code}
> So we always get 401 error since there is no auth handled for knox.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
