[
https://issues.apache.org/jira/browse/HDFS-14609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16907486#comment-16907486
]
Chen Zhang edited comment on HDFS-14609 at 8/14/19 5:47 PM:
------------------------------------------------------------
Thanks [~tasanuma] for providing the old revision of HDFS-13891, it's very
helpful.
I've fixed these 2 tests, here is some detail;
h3. TestRouterWithSecureStartup#testStartupWithoutSpnegoPrincipal
HADOOP-16314 and HADOOP-16354 made some changes which breaks the test:
# Added an AuthFilterInitializer, which using
{{hadoop.http.authentication.kerberos.principal}} ** instead of
{{dfs.web.authentication.kerberos}}{{.principal}} to initialize kerberos
# {{hadoop.http.authentication.kerberos.principal}} has a default value, so
even we don't configure this key, the cluster will still start normally
h3. TestRouterHttpDelegationToken
# HDFS-14434 ignores user.name query parameter in secure WebHDFS, and the
initial version of this test leveraged this parameter to bypass the kerberos
authentication, so after HDFS-14434, it's not work. I added a set of methods to
send request by http connection instead of {{WebHdfsFileSystem}} to make it
continue working.
# HADOOP-16314 changed configuration-key of the authentication filter from
{{dfs.web.authentication.filter}} to {{hadoop.http.filter.initializers}}, so I
added an {{NoAuthFilterInitializer}} to initialize {{NoAuthFilter}}
# For case {{testGetDelegationToken()}}, the server address is set by
WebHdfsFileSystem after it get the response, the original address is the
address of RouterRpcServer. Since we now send request by http connection
directly, it's unnecessary to reset the address, so I removed this assert
# For the case {{testCancelDelegationToken()}}, the {{InvalidToken}} exception
is also generated by WebHdfsFileSystem and the logic is very complex, I think
it's also unnecessary to keep this assert, so I using the 403 detection instead.
In the trunk code, the config {{dfs.web.authentication.filter}} is not used
anywhere, I propose to deprecate this config, I'll track this in another Jira.
was (Author: zhangchen):
Thanks [~tasanuma] for providing the old revision of HDFS-13891, it's very
helpful.
I've fixed these 2 tests, here is some detail;
h3. TestRouterWithSecureStartup#testStartupWithoutSpnegoPrincipal
HADOOP-16314 and HADOOP-16354 made some changes which breaks the test:
# Added an AuthFilterInitializer, which using
{{hadoop.http.authentication.kerberos.\***}} ** ** instead of
{{dfs.web.authentication.kerberos}}{{.\}}* to initialize kerberos
# {{hadoop.http.authentication.kerberos.principal}} has a default value, so
even we don't configure this key, the cluster will still start normally
h3. TestRouterHttpDelegationToken
# HDFS-14434 ignores user.name query parameter in secure WebHDFS, and the
initial version of this test leveraged this parameter to bypass the kerberos
authentication, so after HDFS-14434, it's not work. I added a set of methods to
send request by http connection instead of {{WebHdfsFileSystem}} to make it
continue working.
# HADOOP-16314 changed configuration-key of the authentication filter from
{{dfs.web.authentication.filter}} to {{hadoop.http.filter.initializers}}, so I
added an {{NoAuthFilterInitializer}} to initialize {{NoAuthFilter}}
# For case {{testGetDelegationToken()}}, the server address is set by
WebHdfsFileSystem after it get the response, the original address is the
address of RouterRpcServer. Since we now send request by http connection
directly, it's unnecessary to reset the address, so I removed this assert
# For the case {{testCancelDelegationToken()}}, the {{InvalidToken}} exception
is also generated by WebHdfsFileSystem and the logic is very complex, I think
it's also unnecessary to keep this assert, so I using the 403 detection instead.
In the trunk code, the config {{dfs.web.authentication.filter}} is not used
anywhere, I propose to deprecate this config, I'll track this in another Jira.
> RBF: Security should use common AuthenticationFilter
> ----------------------------------------------------
>
> Key: HDFS-14609
> URL: https://issues.apache.org/jira/browse/HDFS-14609
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: CR Hota
> Assignee: Chen Zhang
> Priority: Major
> Attachments: HDFS-14609.001.patch
>
>
> We worked on router based federation security as part of HDFS-13532. We kept
> it compatible with the way namenode works. However with HADOOP-16314 and
> HDFS-16354 in trunk, auth filters seems to have been changed causing tests to
> fail.
> Changes are needed appropriately in RBF, mainly fixing broken tests.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
