You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "YUBI LEE (Jira)" <ji...@apache.org> on 2023/03/15 07:45:00 UTC
[jira] [Created] (HADOOP-18666) A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server
YUBI LEE created HADOOP-18666:
---------------------------------
Summary: A whitelist of endpoints to skip Kerberos authentication doesn't work for ResourceManager and Job History Server
Key: HADOOP-18666
URL: https://issues.apache.org/jira/browse/HADOOP-18666
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: YUBI LEE
Thanks to HADOOP-16527, we can add a whitelist of endpoints to skip Kerberos authentication such as {{/isActive}}, {{/jmx}}, {{/prom}}.
However, I found that ResourceManager and Job History Server doesn't repect {{hadoop.http.authentication.kerberos.endpoint.whitelist}}.
To workaround this issue for ResourceManager, set {{yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true}} in yarn-site.xml.
However, there is no workaround for Job History Server.
This bug is caused by {{HttpServer2#initSpnego}} call without proper configurations which starts with "{{hadoop.http.authentication.}}".
I will make a PR soon.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org