YUBI LEE created HADOOP-18666:
---------------------------------
Summary: A whitelist of endpoints to skip Kerberos authentication
doesn't work for ResourceManager and Job History Server
Key: HADOOP-18666
URL: https://issues.apache.org/jira/browse/HADOOP-18666
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: YUBI LEE
Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos
authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}.
However, I found that ResourceManager and Job History Server doesn't repect
{{hadoop.http.authentication.kerberos.endpoint.whitelist}}.
To workaround this issue for ResourceManager, set
{{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in
yarn-site.xml.
However, there is no workaround for Job History Server.
This bug is caused by {{HttpServer2#initSpnego}} call without proper
configurations which starts with "{{hadoop.http.authentication.}}".
I will make a PR soon.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
