Xiaoyu Yao created HDDS-1901:
--------------------------------
Summary: Fix Ozone HTTP WebConsole Authentication
Key: HDDS-1901
URL: https://issues.apache.org/jira/browse/HDDS-1901
Project: Hadoop Distributed Data Store
Issue Type: Bug
Affects Versions: 0.4.0
Reporter: Vivek Ratnavel Subramanian
Assignee: Xiaoyu Yao
This was found during integration testing where the http authentication is
enabled but anonymous can still access the ozone http web console like scm:9876
or om:9874. This can be reproed with the following configurations added to the
ozonesecure docker-compose.
{code}
CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
CORE-SITE.XML_hadoop.http.authentication.type=kerberos
CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_h...@example.com
CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
{code}
After debugging into the KerberosAuthenticationFilter, the root cause is the
name of the keytab does not follow the AuthenticationFilter tradition. The fix
is to changeĀ
hdds.scm.http.kerberos.keytab.file to hdds.scm.http.kerberos.keytab and
hdds.om.http.kerberos.keytab.file to hdds.om.http.kerberos.keytab
I will also add an integration test for this under ozonesecure docker-compose.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
