Uploaded image for project: 'Hadoop Distributed Data Store'
  1. Hadoop Distributed Data Store
  2. HDDS-1901

Fix Ozone HTTP WebConsole Authentication

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.4.0
    • Fix Version/s: 0.4.1
    • Component/s: None
    • Target Version/s:
    • Sprint:
      HDDS Biscayne

      Description

      This was found during integration testing where the http authentication is enabled but anonymous can still access the ozone http web console like scm:9876 or om:9874. This can be reproed with the following configurations added to the ozonesecure docker-compose.

      
      CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
      
      CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
      
      CORE-SITE.XML_hadoop.http.authentication.type=kerberos
      
      CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
      
      CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
      
      CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
      
      

      After debugging into the KerberosAuthenticationFilter, the root cause is the name of the keytab does not follow the AuthenticationFilter tradition. The fix is to changeĀ 

      hdds.scm.http.kerberos.keytab.file to hdds.scm.http.kerberos.keytab and
      hdds.om.http.kerberos.keytab.file to hdds.om.http.kerberos.keytab

      I will also add an integration test for this under ozonesecure docker-compose.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                xyao Xiaoyu Yao
                Reporter:
                vivekratnavel Vivek Ratnavel Subramanian
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m