TT web-consoles

Alejandro Abdelnur (JIRA) Fri, 28 Jan 2011 14:01:14 -0800

    [ 
https://issues.apache.org/jira/browse/HADOOP-7119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988263#action_12988263
 ]


Alejandro Abdelnur commented on HADOOP-7119:
--------------------------------------------

Thanks for the comments/feedback.

*On not using {{hadoop.http.filter.initializers}}*

I've completely missed the existence of this. I'll refactor the patch to 
levarage it, it will make the patch much simpler and won't have to mock around 
with the build.

*On why dependent upon a cookie*

HTTP SPNEGO takes care of the authentication protocol only, it does not take 
care of keeping track of authenticated requests. Once the HTTP SPNEGO sequence 
is complete, you responsible for keeping track of authenticated user-agents. 
That is where the cookie comes into play, this is how most HTTP authentication 
mechanisms work and browsers support it.

Furthermore, if you would not use cookies, you would initiate an HTTP SPNEGO 
authentication sequence on every request, which requires an extra HTTP round 
trip. This would be an expensive operation. And it would work only with HTTP 
GET requests (I believe this would not be an issue for today's Hadoop console).

*On why not using HttpComponents*

As far as I know, HttpComponents is client side only. This patch is using 
Alfredo server side authentication capabilities, not the client ones.


I'l work in a new patch using hadoop.http.filter.initializers.

Thanks.


> add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT 
> web-consoles
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-7119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7119
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>         Environment: all
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: ha-commons.patch
>
>
> Currently the JT/NN/DN/TT web-consoles don't support any form of 
> authentication.
> Hadoop RPC API already supports Kerberos authentication.
> Kerberos enables single sign-on.
> Popular browsers (Firefox and Internet Explorer) have support for Kerberos 
> HTTP SPNEGO.
> Adding support for Kerberos HTTP SPNEGO to Hadoop web consoles would provide 
> a unified authentication mechanism and single sign-on for Hadoop web UI and 
> Hadoop RPC.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HADOOP-7119) add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles

Reply via email to