[
https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15295150#comment-15295150
]
Greg Senia commented on YARN-4006:
----------------------------------
I would definitely agree Knox is the long term answer. At my new employer we
are rolling out Knox for users interacting with Hadoop outside of the cluster
network.. I've relayed this back to my remaining contacts at my previous
employer that it is best to ditch AltAuth code all together. The whole reason
for the AltAuth handler use was born out of Data Scientists and Hadoop Endusers
being upset that they couldn't view their jobs logs while things were running.
This was because we decided to protect the HTTP/S UI's with kerberos as folks
started to leak PII/PHI in custom Mapreduce/Yarn job logs in debug mode and
kerberizing the HTTP Endpoints was a way to contain it. I think the things
blocking Knox rollout in both my current and previous employer are the status
of the remaining JIRAs around the UIs
I know when reading the HWX docy supposedly all the UI's are supported
[~vinodkv] and [~lmccay] do you know if these are all supported in HA mode? If
so this JIRA can be closed out in my book as it really is dead ended unless
folks don't want to use Knox..
Knox Overview
What Knox Does
How Knox Works
Hortonworks Focus for Knox Gateway
Recent Progress in Knox Gateway
Knox Tutorials
Knox in the Blog
Webinars & Presentations
Knox Community
Apache Project Page
WHAT KNOX DOES
With YARN as its architectural center, Apache Hadoop continues to attract new
engines to run within the data platform, as organizations want to efficiently
store their data in a single repository and interact with it for batch,
interactive and real-time streaming use cases. More and more independent
software vendors (ISVs) are developing applications to run in Hadoop via YARN.
This increases the number of users and processing engines that operate
simultaneously across a Hadoop cluster, on the same data, at the same time.
The Apache Knox Gateway (“Knox”) provides perimeter security so that the
enterprise can confidently extend Hadoop access to more of those new users
while also maintaining compliance with enterprise security policies. Knox also
simplifies Hadoop security for users who access the cluster data and execute
jobs. It integrates with prevalent identity management and SSO systems and
allows identities from those enterprise systems to be used for seamless, secure
access to Hadoop clusters.
Knox provides perimeter security for Hadoop clusters, with these advantages:
Advantage Description
Simplified access Entend Hadoop’s REST/HTTP services by encapsulating
Kerberos within the cluster
Enhanced security Expose Hadoop’s REST/HTTP services without revealing
network details, with SSL provided out of box
Centralized control Centrally enforce REST API security and route requests
to multiple Hadoop clusters
Enterprise integration Support LDAP and Active Directory
The following Apache Hadoop services have integrations with the Knox Gateway:
http://hortonworks.com/apache/knox-gateway/
Supported Apache Hadoop Services
Ambari
WebHDFS (HDFS)
Templeton (HCatalog)
Stargate (HBase)
Oozie
Hive/JDBC
Yarn RM
Storm
Supported Apache Hadoop UIs
Name Node UI
Job History UI
Oozie UI
HBase UI
Yarn UI
Spark UI
Ambari UI
Ranger Admin Console
Not Resolved:
Having Knox Supporting Hadoop/Yarn/HBase/Hive High Availability -
https://issues.apache.org/jira/browse/KNOX-567
Support Zeppelin UI through Knox -
https://issues.apache.org/jira/browse/KNOX-710
NameNode UI through Knox has various tabs not working -
https://issues.apache.org/jira/browse/KNOX-626
Views in Ambari UI don't render when proxied by the AMBARIUI service -
https://issues.apache.org/jira/browse/KNOX-705
HBase Master UI through Knox is missing JS and CSS resources -
https://issues.apache.org/jira/browse/KNOX-627
Oozie Web UI doesn't render when proxied using Knox -
https://issues.apache.org/jira/browse/KNOX-628
Fixed:
Proxy support for Ranger UI - https://issues.apache.org/jira/browse/KNOX-668
Knox support for HiveServer2 HA - https://issues.apache.org/jira/browse/KNOX-570
Proxy support for Ambari UI - https://issues.apache.org/jira/browse/KNOX-673
Provide a template topology file for UI proxy services -
https://issues.apache.org/jira/browse/KNOX-625
> YARN ATS Alternate Kerberos HTTP Authentication Changes
> -------------------------------------------------------
>
> Key: YARN-4006
> URL: https://issues.apache.org/jira/browse/YARN-4006
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: security, timelineserver
> Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2
> Reporter: Greg Senia
> Assignee: Greg Senia
> Priority: Blocker
> Attachments: YARN-4006-branch-trunk.patch,
> YARN-4006-branch2.6.0.patch, sample-ats-alt-auth.patch
>
>
> When attempting to use The Hadoop Alternate Authentication Classes. They do
> not exactly work with what was built with YARN-1935.
> I went ahead and made the following changes to support using a Custom
> AltKerberos DelegationToken custom class.
> Changes to: TimelineAuthenticationFilterInitializer.class
> {code}
> String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);
> LOG.info("AuthType Configured: "+authType);
> if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
> filterConfig.put(AuthenticationFilter.AUTH_TYPE,
> PseudoDelegationTokenAuthenticationHandler.class.getName());
> LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");
> } else if (authType.equals(KerberosAuthenticationHandler.TYPE) ||
> (UserGroupInformation.isSecurityEnabled() &&
> conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE)))
> {
> if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
> filterConfig.put(AuthenticationFilter.AUTH_TYPE,
> authType);
> LOG.info("AuthType: "+authType);
> } else {
> filterConfig.put(AuthenticationFilter.AUTH_TYPE,
> KerberosDelegationTokenAuthenticationHandler.class.getName());
> LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
> }
> // Resolve _HOST into bind address
> String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
> String principal =
> filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
> if (principal != null) {
> try {
> principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
> } catch (IOException ex) {
> throw new RuntimeException(
> "Could not resolve Kerberos principal name: " + ex.toString(),
> ex);
> }
> filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
> principal);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
