[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14345703#comment-14345703
]
Allen Wittenauer edited comment on HDFS-5796 at 3/3/15 8:43 PM:
----------------------------------------------------------------
bq. please correct me if Im wrong, but looking a the code in hadoop trunk, I
don't think AltKerberos is currently used.
It's existed for a very long time. We're using it in 2.4.1 on our secure
clusters now. One configures it in core-site.xml to enable it.
bq. So that we are on the same page, we agree using AltKerberos Handler is the
right approach.. but I think we should agree on what exactly should be the
alternate mechanism...
This stuff is (as typical) poorly documented, but that's the point of
AltKerberos. Users can build their own filter mechanism to work alongside the
SPNEGO one. So if someone wants to use (for example) OAuth, they just need to
push that Implementation into their own jar and configure it in core-site.xml.
So if you wanted to, you could do the necessary Implementation of the
AltKerberos methods that said "we auth via SPNENGO and SAML and anyone that
fails gets Dr. Who". This way we don't have to dictate anything. It probably
would be useful, however, to have a working AltKerberos example that does
something real... but that's a different issue.
was (Author: aw):
bq. please correct me if Im wrong, but looking a the code in hadoop trunk, I
don't think AltKerberos is currently used.
It's existed for a very long time. We're using it in 2.4.1 on our secure
clusters now. One configures it in core-site.xml to enable it.
bq. So that we are on the same page, we agree using AltKerberos Handler is the
right approach.. but I think we should agree on what exactly should be the
alternate mechanism...
This stuff is (as typical) poorly documented, but that's the point of
AltKerberos. Users can build their own filter mechanism to work alongside the
SPNEGO one. So if someone wants to use (for example) OAuth, they just need to
push that Implementation into their own jar and configure it in core-site.xml.
So if you wanted to, you could do the necessary Implementation of the
AltKerberos methods that said "we auth via SAML and anyone that fails gets Dr.
Who". This we we don't have to dictate anything. It probably would be useful,
however, to have a working AltKerberos example that does something real... but
that's a different issue.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Priority: Blocker
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
