[ https://issues.apache.org/jira/browse/HADOOP-16354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16859099#comment-16859099 ]
Prabhu Joseph commented on HADOOP-16354: ---------------------------------------- [~eyang] Thanks for reviewing. 1. Have removed setting {{simple.anonymous.allowed}} to true by default. 2. Before HADOOP-16314, The default Filter is {{AuthFilter}} for WebHdfs and {{AuthenticationFilter}} for NameNode UI. WebHdfs can provide delegation token support only when {{AuthFilter}} + {{UserProvider}} Injector (which calls {{JspHelper#getUGI}}) is configured. Have retained the same default of {{AuthFIlter}} for WebHdfs for backward compatibility. Users can configure {{ProxyUserAuthenticationFilterInitializer}} if required which will exclude {{AuthFIlter}}. 3. The Default {{AuthFilter}} fixes Distcp with WebHdfs as well. (HADOOP-16356). MapReduce JobClient fetches delegation token from WebHdfs. This works with valid kerberos ticket. Any {{AuthenticationFilter}} ({{ProxyUserAuthenticationFilter}} or {{AuthFilter}}) which does kerberos authentication will be able to provide a token. {code:java} curl --negotiate -u : "http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs" {"Token":{"urlString":"IAAEa25veARoZGZzAIoBayNUC66KAWtHYI-ujgGxjgFnFKE9HVj_mxbfJd2lxzNGMHRDx_wVEldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuNzMuMTkwOjgwMjA"}} {code} But when mapreduce tasks uses the token in subsequent call, WebHdfs has to be configured with {{AuthFilter}} to perform delegation token authentication. Both {{ProxyUserAuthenticationFilter}} and {{AuthenticationFilter}} will fail with "Authentication Required" as it expects only kerberos authentication. {code:java} curl 'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS&delegation=IAAEa25veARoZGZzAIoBay16h0mKAWtRhwtJjgG1jgF6FHXhPdw7C4nPpM7-P97b_BbPRr-9EldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuNzMuMTkwOjgwMjA' < Authentication required > {code} > Enable AuthFilter as default for WebHdfs > ---------------------------------------- > > Key: HADOOP-16354 > URL: https://issues.apache.org/jira/browse/HADOOP-16354 > Project: Hadoop Common > Issue Type: Sub-task > Components: security > Affects Versions: 3.3.0 > Reporter: Prabhu Joseph > Assignee: Prabhu Joseph > Priority: Major > Attachments: HADOOP-16354-001.patch, HADOOP-16354-002.patch, > HADOOP-16354-003.patch > > > HADOOP-16314 provides an generic option to configure > ProxyUserAuthenticationFilterInitializer (Kerberos + doAs support) for all > the services. If this is not configured, AuthenticationFIlter is used for > NameNode UI and WebHdfs. Will enable AuthFilter as default for WebHdfs so > that it is backward compatible. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org