[
https://issues.apache.org/jira/browse/HDFS-14525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17327104#comment-17327104
]
Qi Zhu edited comment on HDFS-14525 at 4/22/21, 6:52 AM:
---------------------------------------------------------
[~prabhujoseph] [~eyang] [~daryn]
I also think this is needed, if we can add an option to support:
We can add an option to allow this two independent,
hadoop.security.authentication is specific to RPC Authentication whereas
hadoop.http.authentication.type is specific to HTTP Authentication.
We want to make HTTP not authentication, but RPC Authentication.
How to handle the case:
1. The HTTP authentication is simple, an we don't want to set browser access
with keytab.
2. The service RPC is kerberos based.
3. The webhdfs we want to use the kerberos also.
But with the HADOOP-16354
The JspHelper#getugi :
{code:java}
if (UserGroupInformation.isSecurityEnabled()) {
remoteUser = request.getRemoteUser();
final String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME);
if (tokenString != null) {
// user.name, doas param is ignored in the token-based auth
ugi = getTokenUGI(context, request, tokenString, conf);
} else if (remoteUser == null) {
throw new IOException(
"Security enabled but user not authenticated by filter");
}
}
{code}
Will get null remoteUser here, because we don't get a principal for simple way.
the command : hadoop fs -ls webhdfs://host:port/
will throw "Security enabled but user not authenticated by filter".
What's your opinions and how the solve it?
Thanks.
was (Author: zhuqi):
[~prabhujoseph]
I also think this is needed, if we can add an option to support:
We can add an option to allow this two independent,
hadoop.security.authentication is specific to RPC Authentication whereas
hadoop.http.authentication.type is specific to HTTP Authentication.
We want to make HTTP not authentication, but RPC Authentication.
> JspHelper ignores hadoop.http.authentication.type
> -------------------------------------------------
>
> Key: HDFS-14525
> URL: https://issues.apache.org/jira/browse/HDFS-14525
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Priority: Major
>
> On Secure Cluster With hadoop.http.authentication.type simple and
> hadoop.http.authentication.anonymous.allowed is true, WebHdfs Rest Api fails
> when user.name is not set. It runs fine if user.name=ambari-qa is set..
> {code}
> [knox@pjosephdocker-1 ~]$ curl -sS -L -w '%{http_code}' -X GET -d '' -H
> 'Content-Length: 0' --negotiate -u :
> 'http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/services/sync/yarn-ats?op=GETFILESTATUS'
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Security enabled but
> user not authenticated by filter"}}403[knox@pjosephdocker-1 ~]$
> {code}
> JspHelper#getUGI checks UserGroupInformation.isSecurityEnabled() instead of
> conf.get(hadoop.http.authentication.type).equals("kerberos") to check if Http
> is Secure causing the issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
