[HADOOP-18666] A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.4.0
Component/s: security
Labels:
- pull-request-available

Target Version/s:

3.4.0
Hadoop Flags:

Reviewed

Description

Thanks to ~~HADOOP-16527~~, we can add a whitelist of endpoints to skip Kerberos authentication such as /isActive, /jmx, /prom.
However, I found that ResourceManager and Job History Server doesn't repect hadoop.http.authentication.kerberos.endpoint.whitelist.

To workaround this issue for ResourceManager, set yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true in yarn-site.xml.
However, there is no workaround for Job History Server.

This bug is caused by HttpServer2#initSpnego call without proper configurations which starts with "hadoop.http.authentication.".

I will make a PR soon.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-18666-branch-3.3.4.patch
15/Mar/23 08:41
2 kB
YUBI LEE

Issue Links

is broken by

HADOOP-16314 Make sure all end point URL is covered by the same AuthenticationFilter

Resolved

links to

GitHub Pull Request #5480

Activity

People

Assignee:: YUBI LEE

Reporter:: YUBI LEE

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 15/Mar/23 07:44

Updated:: 27/Jan/24 08:34

Resolved:: 22/Mar/23 04:39