Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-9760

WebHDFS AuthFilter cannot be configured with custom AltKerberos auth handler

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: webhdfs
    • Labels:
      None
    • Target Version/s:

      Description

      Currently the WebHDFS AuthFilter selects its authentication type based on a call to UserGroupInformation.isSecurityEnabled() with only two choices, KerberosAuthentication or PsuedoAuthentication. Thus there is no condition where the WebHDFS server can be configured with a custom AltKerberos authentication handler.

      Additionally, at the time the WebHDFS AuthFilter is initialized the method getAuthFilterParams(conf) is called in NameNodeHttpServer which picks and chooses a certain few configurations with the prefix 'dfs.web.authentication'. The issue is this method strips away the configuration that could set the authentication type AND additional configurations that are specific to the custom auth handler (using the prefix 'dfs.web.authentication.alt-kerberos').

      The consequence of this lack of configurability is that a user that makes authenticated access to the namenode web UI (through a custom authentication handler) will not be able to access the namenode file browser (because it is making ajax calls to WebHDFS that has a different authentication type).

        Attachments

          Activity

            People

            • Assignee:
              rsasson Ryan Sasson
              Reporter:
              rsasson Ryan Sasson
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: