[ https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15295138#comment-15295138 ]
Greg Senia commented on YARN-4006: ---------------------------------- [~vinodkv], [~aw] and [~lmccay], the goal of my original patch was to allow the ATS UI component operate in a similar fashion to the Mapreduce History Server so users were able to view their YARN job history and such as my previous employer disabled kerberos in web browsers why I couldn't tell you it was a fight just to allow them to kerberize the cluster using Active Directory and allowing service principal creation in a nonstandard AD child forest.. My former employer is still using this patch with a recompiled version of HDP 2.4 so users can view the job logs and such. -Greg > YARN ATS Alternate Kerberos HTTP Authentication Changes > ------------------------------------------------------- > > Key: YARN-4006 > URL: https://issues.apache.org/jira/browse/YARN-4006 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, timelineserver > Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2 > Reporter: Greg Senia > Assignee: Greg Senia > Priority: Blocker > Attachments: YARN-4006-branch-trunk.patch, > YARN-4006-branch2.6.0.patch, sample-ats-alt-auth.patch > > > When attempting to use The Hadoop Alternate Authentication Classes. They do > not exactly work with what was built with YARN-1935. > I went ahead and made the following changes to support using a Custom > AltKerberos DelegationToken custom class. > Changes to: TimelineAuthenticationFilterInitializer.class > {code} > String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE); > LOG.info("AuthType Configured: "+authType); > if (authType.equals(PseudoAuthenticationHandler.TYPE)) { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > PseudoDelegationTokenAuthenticationHandler.class.getName()); > LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler"); > } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || > (UserGroupInformation.isSecurityEnabled() && > conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE))) > { > if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > authType); > LOG.info("AuthType: "+authType); > } else { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > KerberosDelegationTokenAuthenticationHandler.class.getName()); > LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler"); > } > // Resolve _HOST into bind address > String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); > String principal = > filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); > if (principal != null) { > try { > principal = SecurityUtil.getServerPrincipal(principal, bindAddress); > } catch (IOException ex) { > throw new RuntimeException( > "Could not resolve Kerberos principal name: " + ex.toString(), > ex); > } > filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, > principal); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org