You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Zhijie Shen (JIRA)" <ji...@apache.org> on 2014/07/01 11:20:24 UTC

[jira] [Updated] (YARN-2228) TimelineServer should load pseudo authentication filter when authentication = simple

     [ https://issues.apache.org/jira/browse/YARN-2228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Zhijie Shen updated YARN-2228:
------------------------------

    Attachment: YARN-2228.1.patch

Created a patch to make the following major changes:

1. Always load TimelineAuthentcationFilter when the timeline server is up.

2. Completely separate the timeline authentication configuration dependency from the common part. All timeline authentication configurations start with "yarn.timeline-service.http.authentication".

3. When y.t.h.a.type = simple, TimelineAuthentcationFilter uses PseuodAuthenticationHandler to process the request. It allow the timeline server to get the user name if the user specifies "usern.name" in the URL param, and to use it as the owner of the entity that the user posts. In this way, we can enable timeline ACLs even when kerberos authentication is not enabled (aka insecure mode). When y.t.h.a.type = kerberos, everything works as before.

4. Updated TestTimelineWebServices to test ACLs under the "simple" authentication type instead of mocking user name.

I've verified the patch locally in both secure and insecure cluster, which looked generally fine.

> TimelineServer should load pseudo authentication filter when authentication = simple
> ------------------------------------------------------------------------------------
>
>                 Key: YARN-2228
>                 URL: https://issues.apache.org/jira/browse/YARN-2228
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>         Attachments: YARN-2228.1.patch
>
>
> When kerberos authentication is not enabled, we should let the timeline server to work with pseudo authentication filter. In this way, the sever is able to detect the request user by checking "user.name".
> On the other hand, timeline client should append "user.name" in un-secure case as well, such that ACLs can keep working in this case. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)