[
https://issues.apache.org/jira/browse/YARN-8258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16502232#comment-16502232
]
Sunil Govindan commented on YARN-8258:
--------------------------------------
{{org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler}}
is configured as http authenticate type. Hence this filter will be present as
AuthenticationFilter.
{code:java}
filterHolder.getName()=authentication
filterHolder.getClassName()=org.apache.hadoop.security.authentication.server.AuthenticationFilter,
type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler{code}
If Security is enabled, Spnego filter will be loaded as well.
Now i am quoting code from AuthenticationFilter.
{code:java}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
...
...
try {
boolean newToken = false;
AuthenticationToken token;
try {
token = getToken(httpRequest);
....
}
catch (AuthenticationException ex) {
...
}
if (authHandler.managementOperation(token, httpRequest, httpResponse)) {
if (token == null) {
token = authHandler.authenticate(httpRequest, httpResponse);
if (token != null && token != AuthenticationToken.ANONYMOUS) {
if (token.getMaxInactives() > 0) {
token.setMaxInactives(System.currentTimeMillis()
+ getMaxInactiveInterval() * 1000);
}{code}
When Auth Handler gets invoked this snippet code for doFilter, *authHandler*
will be JWTRedirectAuthenticationHandler instead of KerberosAuth handler. This
will be process JWT cookie and create a token.
Now quoting last part of doFilter code.
{code:java}
if (token != null) {
....
....
final AuthenticationToken authToken = token;
httpRequest = new HttpServletRequestWrapper(httpRequest) {
@Override
public String getAuthType() {
return authToken.getType();
}
@Override
public String getRemoteUser() {
return authToken.getUserName();
}
@Override
public Principal getUserPrincipal() {
return (authToken != AuthenticationToken.ANONYMOUS) ?
authToken : null;
}
};
...
...
doFilter(filterChain, httpRequest, httpResponse);
}{code}
This token is populated from JWT handler and proper then httpRequest is created
with this. And then passed to further filters in the chain.
Hence even if Spnego comes later, this wont be a pblm. Infact this code is
present in from long time and works well with KNOX SSO and UI1. This Jira
extends same to UI2.
> YARN webappcontext for UI2 should inherit all filters from default context
> --------------------------------------------------------------------------
>
> Key: YARN-8258
> URL: https://issues.apache.org/jira/browse/YARN-8258
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
> Reporter: Sumana Sathish
> Assignee: Sunil Govindan
> Priority: Major
> Attachments: YARN-8258.001.patch, YARN-8258.002.patch,
> YARN-8258.003.patch, YARN-8258.004.patch, YARN-8258.005.patch,
> YARN-8258.006.patch, YARN-8258.007.patch
>
>
> Thanks [~ssath...@hortonworks.com] for finding this.
> Ideally all filters from default context has to be inherited to UI2 context
> as well.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
