[
https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15295068#comment-15295068
]
Larry McCay commented on YARN-4006:
-----------------------------------
Okay - I am starting to understand where the ambiguity complaints are coming
from....
Can we step back and answer a few questions:
1. AltKerberos is generally used to split the authentication mechanisms used
for browsers/UIs and non-browsers (java, curl, wget, perl, etc) in order to not
require the burden of SPNEGO being enabled for the browsers. The inability to
enable AltKerberos at this endpoint should just make browsers not be able to
use something other than SPNEGO. For instance, a cookie maybe available from
webapps that can be used to communicate the previous authentication event and
identity.
a. How does enabling AltKerberos for other endpoints break the Yarn client
- which should have a useragent of java - when it should be expecting SPNEGO -
given that it is using REST?
b. I guess the fact that the same property
(hadoop.http.authentication.type) is being for the existing integration points
as well as in ATS that the current code creates no authentication handler and
results in a NPE? If the case is that there is no UI aspect at the ATS
integration point then we don't necessarily have to support AltKerberos here
but instead just make sure that kerberos is properly instantiated there. Which
would also require a simple change here.
2. Without seeing any changes related to the need to super() up to the parent
AltKerberos class, I am having trouble understanding why that change is needed.
3. If we do indeed need to have the exact same pattern for enabling custom
authentication handlers here (in multiple places in general) then it seems that
we should actually be factoring that logic out into a common
AutheneticationHandlerBuilder class that can be plugged in anywhere.
I think if we can articulate answers to the above questions it will make the
usecase and problem much more clear.
I apologize if it is already in the comments above and I just can't get my head
around it.
> YARN ATS Alternate Kerberos HTTP Authentication Changes
> -------------------------------------------------------
>
> Key: YARN-4006
> URL: https://issues.apache.org/jira/browse/YARN-4006
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: security, timelineserver
> Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2
> Reporter: Greg Senia
> Assignee: Greg Senia
> Priority: Blocker
> Attachments: YARN-4006-branch-trunk.patch,
> YARN-4006-branch2.6.0.patch, sample-ats-alt-auth.patch
>
>
> When attempting to use The Hadoop Alternate Authentication Classes. They do
> not exactly work with what was built with YARN-1935.
> I went ahead and made the following changes to support using a Custom
> AltKerberos DelegationToken custom class.
> Changes to: TimelineAuthenticationFilterInitializer.class
> {code}
> String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);
> LOG.info("AuthType Configured: "+authType);
> if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
> filterConfig.put(AuthenticationFilter.AUTH_TYPE,
> PseudoDelegationTokenAuthenticationHandler.class.getName());
> LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");
> } else if (authType.equals(KerberosAuthenticationHandler.TYPE) ||
> (UserGroupInformation.isSecurityEnabled() &&
> conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE)))
> {
> if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
> filterConfig.put(AuthenticationFilter.AUTH_TYPE,
> authType);
> LOG.info("AuthType: "+authType);
> } else {
> filterConfig.put(AuthenticationFilter.AUTH_TYPE,
> KerberosDelegationTokenAuthenticationHandler.class.getName());
> LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
> }
> // Resolve _HOST into bind address
> String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
> String principal =
> filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
> if (principal != null) {
> try {
> principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
> } catch (IOException ex) {
> throw new RuntimeException(
> "Could not resolve Kerberos principal name: " + ex.toString(),
> ex);
> }
> filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
> principal);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
