YUBI LEE created HADOOP-18666: --------------------------------- Summary: A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server Key: HADOOP-18666 URL: https://issues.apache.org/jira/browse/HADOOP-18666 Project: Hadoop Common Issue Type: Bug Components: security Reporter: YUBI LEE
Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}. However, I found that ResourceManager and Job History Server doesn't repect {{hadoop.http.authentication.kerberos.endpoint.whitelist}}. To workaround this issue for ResourceManager, set {{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in yarn-site.xml. However, there is no workaround for Job History Server. This bug is caused by {{HttpServer2#initSpnego}} call without proper configurations which starts with "{{hadoop.http.authentication.}}". I will make a PR soon. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-dev-h...@hadoop.apache.org