[ https://issues.apache.org/jira/browse/HADOOP-18666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700612#comment-17700612 ]
ASF GitHub Bot commented on HADOOP-18666: ----------------------------------------- tasanuma commented on PR #5480: URL: https://github.com/apache/hadoop/pull/5480#issuecomment-1469797058 Yes, I can access only the whitelist endpoints. my-jobhistoryserver configs: ```xml <property name="hadoop.http.authentication.kerberos.endpoint.whitelist" value="/isActive,/jmx,/prom"/> <property name="hadoop.http.authentication.kerberos.keytab" value="/path/to/spnego.keytab"/> <property name="hadoop.http.authentication.kerberos.principal" value="HTTP/_HOST@MY_REALM"/> <property name="hadoop.http.authentication.type" value="kerberos"/> <property name="hadoop.http.filter.initializers" value="org.apache.hadoop.security.AuthenticationFilterInitializer,org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.security.HttpCrossOriginFilterInitializer"/> ``` ``` $ curl -s http://my-jobhistoryserver:19888/jmx | head -n 3 { "beans" : [ { "name" : "Hadoop:service=JobHistoryServer,name=RpcActivityForPort10033", $ curl -s http://my-jobhistoryserver:19888/conf | head <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 401 Authentication required</title> </head> <body><h2>HTTP ERROR 401 Authentication required</h2> <table> <tr><th>URI:</th><td>/conf</td></tr> <tr><th>STATUS:</th><td>401</td></tr> <tr><th>MESSAGE:</th><td>Authentication required</td></tr> ``` > A whitelist of endpoints to skip Kerberos authentication doesn't work for > ResourceManager and Job History Server > ---------------------------------------------------------------------------------------------------------------- > > Key: HADOOP-18666 > URL: https://issues.apache.org/jira/browse/HADOOP-18666 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: YUBI LEE > Assignee: YUBI LEE > Priority: Major > Labels: pull-request-available > Attachments: HADOOP-18666-branch-3.3.4.patch > > > Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos > authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}. > However, I found that ResourceManager and Job History Server doesn't repect > {{hadoop.http.authentication.kerberos.endpoint.whitelist}}. > To workaround this issue for ResourceManager, set > {{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in > yarn-site.xml. > However, there is no workaround for Job History Server. > This bug is caused by {{HttpServer2#initSpnego}} call without proper > configurations which starts with "{{hadoop.http.authentication.}}". > I will make a PR soon. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org