[
https://issues.apache.org/jira/browse/HADOOP-16354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16859099#comment-16859099
]
Prabhu Joseph commented on HADOOP-16354:
----------------------------------------
[~eyang] Thanks for reviewing.
1. Have removed setting {{simple.anonymous.allowed}} to true by default.
2. Before HADOOP-16314, The default Filter is {{AuthFilter}} for WebHdfs and
{{AuthenticationFilter}} for NameNode UI. WebHdfs can provide delegation token
support only when {{AuthFilter}} + {{UserProvider}} Injector (which calls
{{JspHelper#getUGI}}) is configured. Have retained the same default of
{{AuthFIlter}} for WebHdfs for backward compatibility. Users can configure
{{ProxyUserAuthenticationFilterInitializer}} if required which will exclude
{{AuthFIlter}}.
3. The Default {{AuthFilter}} fixes Distcp with WebHdfs as well. (HADOOP-16356).
MapReduce JobClient fetches delegation token from WebHdfs. This works with
valid kerberos ticket. Any {{AuthenticationFilter}}
({{ProxyUserAuthenticationFilter}} or {{AuthFilter}}) which does kerberos
authentication will be able to provide a token.
{code:java}
curl --negotiate -u :
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs";
{"Token":{"urlString":"IAAEa25veARoZGZzAIoBayNUC66KAWtHYI-ujgGxjgFnFKE9HVj_mxbfJd2lxzNGMHRDx_wVEldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuNzMuMTkwOjgwMjA"}}
{code}
But when mapreduce tasks uses the token in subsequent call, WebHdfs has to be
configured with {{AuthFilter}} to perform delegation token authentication. Both
{{ProxyUserAuthenticationFilter}} and {{AuthenticationFilter}} will fail with
"Authentication Required" as it expects only kerberos authentication.
{code:java}
curl
'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS&delegation=IAAEa25veARoZGZzAIoBay16h0mKAWtRhwtJjgG1jgF6FHXhPdw7C4nPpM7-P97b_BbPRr-9EldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuNzMuMTkwOjgwMjA'
< Authentication required >
{code}
> Enable AuthFilter as default for WebHdfs
> ----------------------------------------
>
> Key: HADOOP-16354
> URL: https://issues.apache.org/jira/browse/HADOOP-16354
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.3.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16354-001.patch, HADOOP-16354-002.patch,
> HADOOP-16354-003.patch
>
>
> HADOOP-16314 provides an generic option to configure
> ProxyUserAuthenticationFilterInitializer (Kerberos + doAs support) for all
> the services. If this is not configured, AuthenticationFIlter is used for
> NameNode UI and WebHdfs. Will enable AuthFilter as default for WebHdfs so
> that it is backward compatible.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
