[jira] [Commented] (HADOOP-18666) A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-18666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700612#comment-17700612
 ] 

ASF GitHub Bot commented on HADOOP-18666:
-----------------------------------------

tasanuma commented on PR #5480:
URL: https://github.com/apache/hadoop/pull/5480#issuecomment-1469797058

   Yes, I can access only the whitelist endpoints.
   
   
   my-jobhistoryserver configs:
   ```xml
   <property name="hadoop.http.authentication.kerberos.endpoint.whitelist" 
value="/isActive,/jmx,/prom"/>
   <property name="hadoop.http.authentication.kerberos.keytab" 
value="/path/to/spnego.keytab"/>
   <property name="hadoop.http.authentication.kerberos.principal" 
value="HTTP/_HOST@MY_REALM"/>
   <property name="hadoop.http.authentication.type" value="kerberos"/>
   <property name="hadoop.http.filter.initializers" 
value="org.apache.hadoop.security.AuthenticationFilterInitializer,org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.security.HttpCrossOriginFilterInitializer"/>
   ```
   
   ```
   $ curl -s http://my-jobhistoryserver:19888/jmx | head -n 3
   {
     "beans" : [ {
       "name" : "Hadoop:service=JobHistoryServer,name=RpcActivityForPort10033",
   
   $ curl -s http://my-jobhistoryserver:19888/conf | head
   <html>
   <head>
   <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
   <title>Error 401 Authentication required</title>
   </head>
   <body><h2>HTTP ERROR 401 Authentication required</h2>
   <table>
   <tr><th>URI:</th><td>/conf</td></tr>
   <tr><th>STATUS:</th><td>401</td></tr>
   <tr><th>MESSAGE:</th><td>Authentication required</td></tr>
   ```




> A whitelist of endpoints to skip Kerberos authentication doesn't work for 
> ResourceManager and Job History Server
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-18666
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18666
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: YUBI LEE
>            Assignee: YUBI LEE
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HADOOP-18666-branch-3.3.4.patch
>
>
> Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos 
> authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}.
> However, I found that ResourceManager and Job History Server doesn't repect 
> {{hadoop.http.authentication.kerberos.endpoint.whitelist}}.
> To workaround this issue for ResourceManager, set 
> {{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in 
> yarn-site.xml.
> However, there is no workaround for Job History Server.
> This bug is caused by {{HttpServer2#initSpnego}} call without proper 
> configurations which starts with "{{hadoop.http.authentication.}}".
> I will make a PR soon.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org