[ 
https://issues.apache.org/jira/browse/YARN-2247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14060780#comment-14060780
 ] 

Zhijie Shen commented on YARN-2247:
-----------------------------------

[~vvasudev], thanks for your work on this patch, which looks good to me overall.

Some meta-comments:

1. Like YARN-2228, you may want to always use 
YarnAuthenticationFilterInitializer to load the auth filter. When the security 
is enabled, use kerberos auth handler. Otherwise, use pseudo auth handler 
instead.

2. IMHO, the configs for different components' http authentication are better 
to have different prefix, such that we can easily make different configs for 
each component in a single config file. We have do the similar thing for YARN 
components' RPC kerberos authentication.

3. The authentication thing has duplicated those of httpfs and timline sever 
again, which is fine now. However, after HADOOP-10771, RM may be able to reuse 
the dt+kerberos auth filter in hadoop-auth as well. We need to file a ticket to 
track it.

4. With auth filter working, the other get APIs can also be benefited, such as 
getApp(s). We can do these actions with right users. Again, let's file a follow 
up ticket to deal with them.

Other details: 

1. RM_WEBAPP_USE_YARN_AUTH_FILTER ->  RM_WEBAPP_AUTH_FILTER and 
use-yarn-auth-filter -> auth-filter.enabled? And if the component is not RM 
only, should we not start with RM_ prefix, but use YARN_ prefix instead? Last 
but not least, if we always execute YarnAuthenticationFilterInitializer, the 
flag is not required then.
{code}
+  public static final String RM_WEBAPP_USE_YARN_AUTH_FILTER =
+      RM_PREFIX + "webapp.use-yarn-auth-filter";
{code}

2. Only this constructor will be called, won't it? Do we still need the other 
constructors?
{code}
+  public YarnAuthenticationFilterInitializer() {
+    this("hadoop.http.authentication.");
+  }
{code}

3. The authentication filter class actually accept null signature secret file, 
hence I think we should allow the null case
{code}
+    if (signatureSecretFile == null) {
+      throw new RuntimeException("Undefined property: "
+          + signatureSecretFileProperty);
+    }
{code}

> Allow RM web services users to authenticate using delegation tokens
> -------------------------------------------------------------------
>
>                 Key: YARN-2247
>                 URL: https://issues.apache.org/jira/browse/YARN-2247
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>         Attachments: apache-yarn-2247.0.patch
>
>
> The RM webapp should allow users to authenticate using delegation tokens to 
> maintain parity with RPC.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to