Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-4006

YARN AltKerberos HTTP Authentication doesn't work

Add voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Blocker
    • Resolution: Unresolved
    • 2.5.0, 2.6.0, 2.7.0, 2.5.1, 2.6.1, 2.8.0, 2.7.1, 2.7.2
    • None
    • security, timelineserver
    • None

    Description

      When attempting to use The Hadoop Alternate Authentication Classes. They do not exactly work with what was built with YARN-1935.

      I went ahead and made the following changes to support using a Custom AltKerberos DelegationToken custom class.

      Changes to: TimelineAuthenticationFilterInitializer.class

         String authType = filterConfig.get(AuthenticationFilter.AUTH_TYPE);
      
      
          LOG.info("AuthType Configured: "+authType);
          if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
      
            filterConfig.put(AuthenticationFilter.AUTH_TYPE,
                PseudoDelegationTokenAuthenticationHandler.class.getName());
              LOG.info("AuthType: PseudoDelegationTokenAuthenticationHandler");
      
          } else if (authType.equals(KerberosAuthenticationHandler.TYPE) || (UserGroupInformation.isSecurityEnabled() && conf.get("hadoop.security.authentication").equals(KerberosAuthenticationHandler.TYPE))) {
      
            if (!(authType.equals(KerberosAuthenticationHandler.TYPE))) {
              filterConfig.put(AuthenticationFilter.AUTH_TYPE,
                authType);
              LOG.info("AuthType: "+authType);
            } else {
              filterConfig.put(AuthenticationFilter.AUTH_TYPE,
                KerberosDelegationTokenAuthenticationHandler.class.getName());
              LOG.info("AuthType: KerberosDelegationTokenAuthenticationHandler");
            } 
      
      
            // Resolve _HOST into bind address
            String bindAddress = conf.get(HttpServer2.BIND_ADDRESS);
            String principal =
                filterConfig.get(KerberosAuthenticationHandler.PRINCIPAL);
            if (principal != null) {
              try {
                principal = SecurityUtil.getServerPrincipal(principal, bindAddress);
              } catch (IOException ex) {
                throw new RuntimeException(
                    "Could not resolve Kerberos principal name: " + ex.toString(), ex);
              }
              filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL,
                  principal);
            }
          }
       

      Attachments

        1. sample-ats-alt-auth.patch
          27 kB
          Greg Senia
        2. YARN-4006-branch-trunk.patch
          3 kB
          Greg Senia
        3. YARN-4006-branch2.6.0.patch
          3 kB
          Greg Senia

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            gss2002 Greg Senia

            Dates

              Created:
              Updated:

              Slack

                Issue deployment