[jira] [Updated] (YARN-2247) Allow RM web services users to authenticate using delegation tokens

Wed, 23 Jul 2014 07:47:08 -0700 

     [ 
https://issues.apache.org/jira/browse/YARN-2247?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Varun Vasudev updated YARN-2247:
--------------------------------

    Attachment: apache-yarn-2247.4.patch

{quote}
Varun Vasudev, thanks for your patience on my comments. The new patch looks 
almost good to me. Just some nits:

1. Should not be necessary. Always load TimelineAuthenticationFilter. With 
"simple" type, still the pseudo handler is to used.
{noformat}
+    if (authType.equals("simple") && 
!UserGroupInformation.isSecurityEnabled()) {
+      container.addFilter("authentication",
+        AuthenticationFilter.class.getName(), filterConfig);
+      return;
+    }
{noformat}
{quote}
Good point. Fixed.

{quote}
2. Check not null first for testMiniKDC and rm? Same for 
TestRMWebappAuthentication
{noformat}
+    testMiniKDC.stop();
+    rm.stop();
{noformat}
{quote}
Fixed.

{quote}
3. I didn't find the logic to forbid it. Anyway, is it good to mention it in 
the document as well?
{noformat}
+  // Test to make sure that we can't do delegation token
+  // functions using just delegation token auth
{noformat}
{quote}
The test is in RMWebServices.
{noformat}
callerUGI = createKerberosUserGroupInformation(hsr);
{noformat}
which in turn has this check 
{noformat}
    String authType = hsr.getAuthType();
    if (!KerberosAuthenticationHandler.TYPE.equals(authType)) {
      String msg =
          "Delegation token operations can only be carried out on a "
              + "Kerberos authenticated channel";
      throw new YarnException(msg);
    }
{noformat}

I've documented it under the delegation token rest API section:
{noformat}
 All delegation token requests must be carried out on a Kerberos authenticated 
connection(using SPNEGO).
{noformat}

> Allow RM web services users to authenticate using delegation tokens
> -------------------------------------------------------------------
>
>                 Key: YARN-2247
>                 URL: https://issues.apache.org/jira/browse/YARN-2247
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: apache-yarn-2247.0.patch, apache-yarn-2247.1.patch, 
> apache-yarn-2247.2.patch, apache-yarn-2247.3.patch, apache-yarn-2247.4.patch
>
>
> The RM webapp should allow users to authenticate using delegation tokens to 
> maintain parity with RPC.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to