Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-4006

YARN AltKerberos HTTP Authentication doesn't work

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2
    • Fix Version/s: None
    • Component/s: security, timelineserver
    • Labels:
      None

      Description

      When attempting to use The Hadoop Alternate Authentication Classes. They do not exactly work with what was built with YARN-1935.

      I went ahead and made the following changes to support using a Custom AltKerberos DelegationToken custom class.

      Changes to: TimelineAuthenticationFilterInitializer.class

         String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);
      
      
          LOG.info("AuthType Configured: "+authType);
          if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
      
            filterConfig.put(AuthenticationFilter.AUTH_TYPE,
                PseudoDelegationTokenAuthenticationHandler.class.getName());
              LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");
      
          } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || (UserGroupInformation.isSecurityEnabled() && conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE))) {
      
            if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
              filterConfig.put(AuthenticationFilter.AUTH_TYPE,
                authType);
              LOG.info("AuthType: "+authType);
            } else {
              filterConfig.put(AuthenticationFilter.AUTH_TYPE,
                KerberosDelegationTokenAuthenticationHandler.class.getName());
              LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
            } 
      
      
            // Resolve _HOST into bind address
            String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
            String principal =
                filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
            if (principal != null) {
              try {
                principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
              } catch (IOException ex) {
                throw new RuntimeException(
                    "Could not resolve Kerberos principal name: " + ex.toString(), ex);
              }
              filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
                  principal);
            }
          }
       

        Attachments

        1. sample-ats-alt-auth.patch
          27 kB
          Greg Senia
        2. YARN-4006-branch-trunk.patch
          3 kB
          Greg Senia
        3. YARN-4006-branch2.6.0.patch
          3 kB
          Greg Senia

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                gss2002 Greg Senia
              • Votes:
                0 Vote for this issue
                Watchers:
                18 Start watching this issue

                Dates

                • Created:
                  Updated: