I'm working on a secure cluster that has authentication enabled for the
YARN services.
In my Apex setup, I have:
<property>
<name>apex.attr.STRAM_HTTP_AUTHENTICATION</name>
<value>DISABLE</value>
</property>
"DISABLE - Disable authentication for web services."
That's not what happens though, it rather follows the Hadoop setting and
fails because in this case Kerberos is enabled and the keytab not
configured.
I think that if a DISABLE option is advertised, then it should turn off the
authentication that gets inherited from the node manager environment.
Configuration config = getConfig();
if (SecurityUtils.isStramWebSecurityEnabled()) {
config = new Configuration(config);
config.set("hadoop.http.filter.initializers",
StramWSFilterInitializer.class.getCanonicalName());
} else {
if
(!"simple".equals(config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP))) {
LOG.warn("Found http authentication {} but authentication was
disabled in Apex.",
config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP));
config = new Configuration(config);
// turn off authentication for Apex as specified by user
config.set(SecurityUtils.HADOOP_HTTP_AUTH_PROP, "simple");
}
}
It will also help tremendously when warning from jetty are not swallowed
due to
org.mortbay.log.Log.setLog(null);
Otherwise there is just a "handler failed" message and the user has no way
to know what went wrong without hacking the Apex code?
Thanks,
Thomas
