[ https://issues.apache.org/jira/browse/YARN-4006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15295150#comment-15295150 ]
Greg Senia commented on YARN-4006: ---------------------------------- I would definitely agree Knox is the long term answer. At my new employer we are rolling out Knox for users interacting with Hadoop outside of the cluster network.. I've relayed this back to my remaining contacts at my previous employer that it is best to ditch AltAuth code all together. The whole reason for the AltAuth handler use was born out of Data Scientists and Hadoop Endusers being upset that they couldn't view their jobs logs while things were running. This was because we decided to protect the HTTP/S UI's with kerberos as folks started to leak PII/PHI in custom Mapreduce/Yarn job logs in debug mode and kerberizing the HTTP Endpoints was a way to contain it. I think the things blocking Knox rollout in both my current and previous employer are the status of the remaining JIRAs around the UIs I know when reading the HWX docy supposedly all the UI's are supported [~vinodkv] and [~lmccay] do you know if these are all supported in HA mode? If so this JIRA can be closed out in my book as it really is dead ended unless folks don't want to use Knox.. Knox Overview What Knox Does How Knox Works Hortonworks Focus for Knox Gateway Recent Progress in Knox Gateway Knox Tutorials Knox in the Blog Webinars & Presentations Knox Community Apache Project Page WHAT KNOX DOES With YARN as its architectural center, Apache Hadoop continues to attract new engines to run within the data platform, as organizations want to efficiently store their data in a single repository and interact with it for batch, interactive and real-time streaming use cases. More and more independent software vendors (ISVs) are developing applications to run in Hadoop via YARN. This increases the number of users and processing engines that operate simultaneously across a Hadoop cluster, on the same data, at the same time. The Apache Knox Gateway (“Knox”) provides perimeter security so that the enterprise can confidently extend Hadoop access to more of those new users while also maintaining compliance with enterprise security policies. Knox also simplifies Hadoop security for users who access the cluster data and execute jobs. It integrates with prevalent identity management and SSO systems and allows identities from those enterprise systems to be used for seamless, secure access to Hadoop clusters. Knox provides perimeter security for Hadoop clusters, with these advantages: Advantage Description Simplified access Entend Hadoop’s REST/HTTP services by encapsulating Kerberos within the cluster Enhanced security Expose Hadoop’s REST/HTTP services without revealing network details, with SSL provided out of box Centralized control Centrally enforce REST API security and route requests to multiple Hadoop clusters Enterprise integration Support LDAP and Active Directory The following Apache Hadoop services have integrations with the Knox Gateway: http://hortonworks.com/apache/knox-gateway/ Supported Apache Hadoop Services Ambari WebHDFS (HDFS) Templeton (HCatalog) Stargate (HBase) Oozie Hive/JDBC Yarn RM Storm Supported Apache Hadoop UIs Name Node UI Job History UI Oozie UI HBase UI Yarn UI Spark UI Ambari UI Ranger Admin Console Not Resolved: Having Knox Supporting Hadoop/Yarn/HBase/Hive High Availability - https://issues.apache.org/jira/browse/KNOX-567 Support Zeppelin UI through Knox - https://issues.apache.org/jira/browse/KNOX-710 NameNode UI through Knox has various tabs not working - https://issues.apache.org/jira/browse/KNOX-626 Views in Ambari UI don't render when proxied by the AMBARIUI service - https://issues.apache.org/jira/browse/KNOX-705 HBase Master UI through Knox is missing JS and CSS resources - https://issues.apache.org/jira/browse/KNOX-627 Oozie Web UI doesn't render when proxied using Knox - https://issues.apache.org/jira/browse/KNOX-628 Fixed: Proxy support for Ranger UI - https://issues.apache.org/jira/browse/KNOX-668 Knox support for HiveServer2 HA - https://issues.apache.org/jira/browse/KNOX-570 Proxy support for Ambari UI - https://issues.apache.org/jira/browse/KNOX-673 Provide a template topology file for UI proxy services - https://issues.apache.org/jira/browse/KNOX-625 > YARN ATS Alternate Kerberos HTTP Authentication Changes > ------------------------------------------------------- > > Key: YARN-4006 > URL: https://issues.apache.org/jira/browse/YARN-4006 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, timelineserver > Affects Versions: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2 > Reporter: Greg Senia > Assignee: Greg Senia > Priority: Blocker > Attachments: YARN-4006-branch-trunk.patch, > YARN-4006-branch2.6.0.patch, sample-ats-alt-auth.patch > > > When attempting to use The Hadoop Alternate Authentication Classes. They do > not exactly work with what was built with YARN-1935. > I went ahead and made the following changes to support using a Custom > AltKerberos DelegationToken custom class. > Changes to: TimelineAuthenticationFilterInitializer.class > {code} > String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE); > LOG.info("AuthType Configured: "+authType); > if (authType.equals(PseudoAuthenticationHandler.TYPE)) { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > PseudoDelegationTokenAuthenticationHandler.class.getName()); > LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler"); > } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || > (UserGroupInformation.isSecurityEnabled() && > conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE))) > { > if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > authType); > LOG.info("AuthType: "+authType); > } else { > filterConfig.put(AuthenticationFilter.AUTH_TYPE, > KerberosDelegationTokenAuthenticationHandler.class.getName()); > LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler"); > } > // Resolve _HOST into bind address > String bindAddress = conf.get(HttpServer2.BIND_ADDRESS); > String principal = > filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL); > if (principal != null) { > try { > principal = SecurityUtil.getServerPrincipal(principal, bindAddress); > } catch (IOException ex) { > throw new RuntimeException( > "Could not resolve Kerberos principal name: " + ex.toString(), > ex); > } > filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, > principal); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org