[ https://issues.apache.org/jira/browse/YARN-2247?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Varun Vasudev updated YARN-2247: -------------------------------- Attachment: apache-yarn-2247.4.patch {quote} Varun Vasudev, thanks for your patience on my comments. The new patch looks almost good to me. Just some nits: 1. Should not be necessary. Always load TimelineAuthenticationFilter. With "simple" type, still the pseudo handler is to used. {noformat} + if (authType.equals("simple") && !UserGroupInformation.isSecurityEnabled()) { + container.addFilter("authentication", + AuthenticationFilter.class.getName(), filterConfig); + return; + } {noformat} {quote} Good point. Fixed. {quote} 2. Check not null first for testMiniKDC and rm? Same for TestRMWebappAuthentication {noformat} + testMiniKDC.stop(); + rm.stop(); {noformat} {quote} Fixed. {quote} 3. I didn't find the logic to forbid it. Anyway, is it good to mention it in the document as well? {noformat} + // Test to make sure that we can't do delegation token + // functions using just delegation token auth {noformat} {quote} The test is in RMWebServices. {noformat} callerUGI = createKerberosUserGroupInformation(hsr); {noformat} which in turn has this check {noformat} String authType = hsr.getAuthType(); if (!KerberosAuthenticationHandler.TYPE.equals(authType)) { String msg = "Delegation token operations can only be carried out on a " + "Kerberos authenticated channel"; throw new YarnException(msg); } {noformat} I've documented it under the delegation token rest API section: {noformat} All delegation token requests must be carried out on a Kerberos authenticated connection(using SPNEGO). {noformat} > Allow RM web services users to authenticate using delegation tokens > ------------------------------------------------------------------- > > Key: YARN-2247 > URL: https://issues.apache.org/jira/browse/YARN-2247 > Project: Hadoop YARN > Issue Type: Sub-task > Reporter: Varun Vasudev > Assignee: Varun Vasudev > Priority: Blocker > Attachments: apache-yarn-2247.0.patch, apache-yarn-2247.1.patch, > apache-yarn-2247.2.patch, apache-yarn-2247.3.patch, apache-yarn-2247.4.patch > > > The RM webapp should allow users to authenticate using delegation tokens to > maintain parity with RPC. -- This message was sent by Atlassian JIRA (v6.2#6252)