[ https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15294804#comment-15294804 ]
Vinod Kumar Vavilapalli commented on YARN-4006: ----------------------------------------------- Manual testing is acceptable if it is deemed that this is not testable via unit-tests. I don't see any comments from anyone saying that. bq. There isn't anything that is specific to AltKeberos about this patch but such extensions should work fine. I missed this. In this case, it is entirely possible to add tests for this. Other comments on the patch, forgetting for a moment that we still don't completely understand the patch given the lack of even a basic explanation despite multiple requests - No need to log the auth-type three times, the first one should suffice? - Fix lines longer than 80 characters, Jenkins will complain - Use CommonConfigurationKeyPublic constants instead of hardcoding "hadoop.security.authentication" - Spurious conditional statements - you can collapse the following into a simple if-else statement {code} if (a || b) { if (!a) { } else { } } {code} > YARN ATS Alternate Kerberos HTTP Authentication Changes > ------------------------------------------------------- > > Key: YARN-4006 > URL: https://issues.apache.org/jira/browse/YARN-4006 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, timelineserver > Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2 > Reporter: Greg Senia > Assignee: Greg Senia > Priority: Blocker > Attachments: YARN-4006-branch-trunk.patch, > YARN-4006-branch2.6.0.patch, sample-ats-alt-auth.patch > > > When attempting to use The Hadoop Alternate Authentication Classes. They do > not exactly work with what was built with YARN-1935. > I went ahead and made the following changes to support using a Custom > AltKerberos DelegationToken custom class. > Changes to: TimelineAuthenticationFilterInitializer.class > {code} > String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE); > LOG.info("AuthType Configured: "+authType); > if (authType.equals(PseudoAuthenticationHandler.TYPE)) { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > PseudoDelegationTokenAuthenticationHandler.class.getName()); > LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler"); > } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || > (UserGroupInformation.isSecurityEnabled() && > conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE))) > { > if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > authType); > LOG.info("AuthType: "+authType); > } else { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > KerberosDelegationTokenAuthenticationHandler.class.getName()); > LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler"); > } > // Resolve _HOST into bind address > String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); > String principal = > filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); > if (principal != null) { > try { > principal = SecurityUtil.getServerPrincipal(principal, bindAddress); > } catch (IOException ex) { > throw new RuntimeException( > "Could not resolve Kerberos principal name: " + ex.toString(), > ex); > } > filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, > principal); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org