You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "YUBI LEE (Jira)" <ji...@apache.org> on 2023/03/15 07:45:00 UTC

[jira] [Created] (HADOOP-18666) A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server

YUBI LEE created HADOOP-18666:
---------------------------------

             Summary: A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server
                 Key: HADOOP-18666
                 URL: https://issues.apache.org/jira/browse/HADOOP-18666
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
            Reporter: YUBI LEE


Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}.
However, I found that ResourceManager and Job History Server doesn't repect {{hadoop.http.authentication.kerberos.endpoint.whitelist}}.

To workaround this issue for ResourceManager, set {{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in yarn-site.xml.
However, there is no workaround for Job History Server.

This bug is caused by {{HttpServer2#initSpnego}} call without proper configurations which starts with "{{hadoop.http.authentication.}}".

I will make a PR soon.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org