You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mapreduce-user@hadoop.apache.org by Francis Dupin <fr...@ifsttar.fr> on 2015/11/25 16:48:35 UTC
Authentication for hdfs web interface
Hi all,
I would like to secure the web browser access to hdfs interface.
I have installed kerberos (working fine)
Then I have modified in my hadoop dist (binarie downloaded from apache
site) :
${HADOOP}/share/hadoop/hdfs/webapps/hdfs/WEB-INF/web.xml
adding :
<filter>
<filter-name>kerberosFilter</filter-name>
<filter-class>org.apache.hadoop.security.authentication.server.AuthenticationFilter</filter-class>
<init-param>
<param-name>type</param-name>
<param-value>kerberos</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>3600</param-value>
</init-param>
<init-param>
<param-name>cookie.domain</param-name>
<param-value>.mv</param-value>
</init-param>
<init-param>
<param-name>cookie.path</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>kerberos.principal</param-name>
<param-value>HTTP/mv05@MV</param-value>
</init-param>
<init-param>
<param-name>kerberos.keytab</param-name>
<param-value>/etc/krb5kdc/kadm5.keytab</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>kerberosFilter</filter-name>
<url-pattern>/kerberos/*</url-pattern>
</filter-mapping>
where HTTP/mv05@MV and .mv are my own parameters
1 - In the documentation,
-------------------------------------
http://hadoop.apache.org/docs/current/hadoop-auth/Configuration.html
it is written
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
but the class is not found.
I have replaced by
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
2 - In core-site.xml, I have added :
---------------------------------------------
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.security.authentication.server.AuthenticationFilter
</value>
</property>
When I launch the nodename, I have this error :
java.lang.ClassCastException:
org.apache.hadoop.security.authentication.server.AuthenticationFilter
cannot be cast to org.apache.hadoop.http.FilterInitializer
Any idea to solve that ?
Thank you to all in advance.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org
Re: Authentication for hdfs web interface
Posted by Chris Nauroth <cn...@hortonworks.com>.
Hello Francis,
Your configuration was very close to correct, but the
hadoop.http.filter.initializers property needs to be set to the name of a
filter initializer class, not the filter itself. Use this in
core-site.xml:
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>
There are more details in the HTTP Authentication section of the Apache
Hadoop documentation:
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Htt
pAuthentication.html
--Chris Nauroth
On 11/25/15, 7:48 AM, "Francis Dupin" <fr...@ifsttar.fr> wrote:
>Hi all,
>
>I would like to secure the web browser access to hdfs interface.
>
>I have installed kerberos (working fine)
>
>Then I have modified in my hadoop dist (binarie downloaded from apache
>site) :
>${HADOOP}/share/hadoop/hdfs/webapps/hdfs/WEB-INF/web.xml
>
>adding :
>
>
> <filter>
> <filter-name>kerberosFilter</filter-name>
><filter-class>org.apache.hadoop.security.authentication.server.Authenticat
>ionFilter</filter-class>
> <init-param>
> <param-name>type</param-name>
> <param-value>kerberos</param-value>
> </init-param>
> <init-param>
> <param-name>token.validity</param-name>
> <param-value>3600</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.domain</param-name>
> <param-value>.mv</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.path</param-name>
> <param-value>/</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.principal</param-name>
> <param-value>HTTP/mv05@MV</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.keytab</param-name>
><param-value>/etc/krb5kdc/kadm5.keytab</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>kerberosFilter</filter-name>
> <url-pattern>/kerberos/*</url-pattern>
> </filter-mapping>
>
>where HTTP/mv05@MV and .mv are my own parameters
>
>
>1 - In the documentation,
>-------------------------------------
>http://hadoop.apache.org/docs/current/hadoop-auth/Configuration.html
>
>it is written
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>but the class is not found.
>
>I have replaced by
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>
>
>2 - In core-site.xml, I have added :
>---------------------------------------------
>
><property>
> <name>hadoop.http.filter.initializers</name>
><value>org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.se
>curity.authentication.server.AuthenticationFilter
></value>
></property>
>
>
>When I launch the nodename, I have this error :
>
>java.lang.ClassCastException:
>org.apache.hadoop.security.authentication.server.AuthenticationFilter
>cannot be cast to org.apache.hadoop.http.FilterInitializer
>
>
>Any idea to solve that ?
>
>Thank you to all in advance.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
>For additional commands, e-mail: user-help@hadoop.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org
Re: Authentication for hdfs web interface
Posted by Chris Nauroth <cn...@hortonworks.com>.
Hello Francis,
Your configuration was very close to correct, but the
hadoop.http.filter.initializers property needs to be set to the name of a
filter initializer class, not the filter itself. Use this in
core-site.xml:
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>
There are more details in the HTTP Authentication section of the Apache
Hadoop documentation:
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Htt
pAuthentication.html
--Chris Nauroth
On 11/25/15, 7:48 AM, "Francis Dupin" <fr...@ifsttar.fr> wrote:
>Hi all,
>
>I would like to secure the web browser access to hdfs interface.
>
>I have installed kerberos (working fine)
>
>Then I have modified in my hadoop dist (binarie downloaded from apache
>site) :
>${HADOOP}/share/hadoop/hdfs/webapps/hdfs/WEB-INF/web.xml
>
>adding :
>
>
> <filter>
> <filter-name>kerberosFilter</filter-name>
><filter-class>org.apache.hadoop.security.authentication.server.Authenticat
>ionFilter</filter-class>
> <init-param>
> <param-name>type</param-name>
> <param-value>kerberos</param-value>
> </init-param>
> <init-param>
> <param-name>token.validity</param-name>
> <param-value>3600</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.domain</param-name>
> <param-value>.mv</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.path</param-name>
> <param-value>/</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.principal</param-name>
> <param-value>HTTP/mv05@MV</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.keytab</param-name>
><param-value>/etc/krb5kdc/kadm5.keytab</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>kerberosFilter</filter-name>
> <url-pattern>/kerberos/*</url-pattern>
> </filter-mapping>
>
>where HTTP/mv05@MV and .mv are my own parameters
>
>
>1 - In the documentation,
>-------------------------------------
>http://hadoop.apache.org/docs/current/hadoop-auth/Configuration.html
>
>it is written
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>but the class is not found.
>
>I have replaced by
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>
>
>2 - In core-site.xml, I have added :
>---------------------------------------------
>
><property>
> <name>hadoop.http.filter.initializers</name>
><value>org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.se
>curity.authentication.server.AuthenticationFilter
></value>
></property>
>
>
>When I launch the nodename, I have this error :
>
>java.lang.ClassCastException:
>org.apache.hadoop.security.authentication.server.AuthenticationFilter
>cannot be cast to org.apache.hadoop.http.FilterInitializer
>
>
>Any idea to solve that ?
>
>Thank you to all in advance.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
>For additional commands, e-mail: user-help@hadoop.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org
Re: Authentication for hdfs web interface
Posted by Chris Nauroth <cn...@hortonworks.com>.
Hello Francis,
Your configuration was very close to correct, but the
hadoop.http.filter.initializers property needs to be set to the name of a
filter initializer class, not the filter itself. Use this in
core-site.xml:
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>
There are more details in the HTTP Authentication section of the Apache
Hadoop documentation:
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Htt
pAuthentication.html
--Chris Nauroth
On 11/25/15, 7:48 AM, "Francis Dupin" <fr...@ifsttar.fr> wrote:
>Hi all,
>
>I would like to secure the web browser access to hdfs interface.
>
>I have installed kerberos (working fine)
>
>Then I have modified in my hadoop dist (binarie downloaded from apache
>site) :
>${HADOOP}/share/hadoop/hdfs/webapps/hdfs/WEB-INF/web.xml
>
>adding :
>
>
> <filter>
> <filter-name>kerberosFilter</filter-name>
><filter-class>org.apache.hadoop.security.authentication.server.Authenticat
>ionFilter</filter-class>
> <init-param>
> <param-name>type</param-name>
> <param-value>kerberos</param-value>
> </init-param>
> <init-param>
> <param-name>token.validity</param-name>
> <param-value>3600</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.domain</param-name>
> <param-value>.mv</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.path</param-name>
> <param-value>/</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.principal</param-name>
> <param-value>HTTP/mv05@MV</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.keytab</param-name>
><param-value>/etc/krb5kdc/kadm5.keytab</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>kerberosFilter</filter-name>
> <url-pattern>/kerberos/*</url-pattern>
> </filter-mapping>
>
>where HTTP/mv05@MV and .mv are my own parameters
>
>
>1 - In the documentation,
>-------------------------------------
>http://hadoop.apache.org/docs/current/hadoop-auth/Configuration.html
>
>it is written
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>but the class is not found.
>
>I have replaced by
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>
>
>2 - In core-site.xml, I have added :
>---------------------------------------------
>
><property>
> <name>hadoop.http.filter.initializers</name>
><value>org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.se
>curity.authentication.server.AuthenticationFilter
></value>
></property>
>
>
>When I launch the nodename, I have this error :
>
>java.lang.ClassCastException:
>org.apache.hadoop.security.authentication.server.AuthenticationFilter
>cannot be cast to org.apache.hadoop.http.FilterInitializer
>
>
>Any idea to solve that ?
>
>Thank you to all in advance.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
>For additional commands, e-mail: user-help@hadoop.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org
Re: Authentication for hdfs web interface
Posted by Chris Nauroth <cn...@hortonworks.com>.
Hello Francis,
Your configuration was very close to correct, but the
hadoop.http.filter.initializers property needs to be set to the name of a
filter initializer class, not the filter itself. Use this in
core-site.xml:
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>
There are more details in the HTTP Authentication section of the Apache
Hadoop documentation:
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Htt
pAuthentication.html
--Chris Nauroth
On 11/25/15, 7:48 AM, "Francis Dupin" <fr...@ifsttar.fr> wrote:
>Hi all,
>
>I would like to secure the web browser access to hdfs interface.
>
>I have installed kerberos (working fine)
>
>Then I have modified in my hadoop dist (binarie downloaded from apache
>site) :
>${HADOOP}/share/hadoop/hdfs/webapps/hdfs/WEB-INF/web.xml
>
>adding :
>
>
> <filter>
> <filter-name>kerberosFilter</filter-name>
><filter-class>org.apache.hadoop.security.authentication.server.Authenticat
>ionFilter</filter-class>
> <init-param>
> <param-name>type</param-name>
> <param-value>kerberos</param-value>
> </init-param>
> <init-param>
> <param-name>token.validity</param-name>
> <param-value>3600</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.domain</param-name>
> <param-value>.mv</param-value>
> </init-param>
> <init-param>
> <param-name>cookie.path</param-name>
> <param-value>/</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.principal</param-name>
> <param-value>HTTP/mv05@MV</param-value>
> </init-param>
> <init-param>
> <param-name>kerberos.keytab</param-name>
><param-value>/etc/krb5kdc/kadm5.keytab</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>kerberosFilter</filter-name>
> <url-pattern>/kerberos/*</url-pattern>
> </filter-mapping>
>
>where HTTP/mv05@MV and .mv are my own parameters
>
>
>1 - In the documentation,
>-------------------------------------
>http://hadoop.apache.org/docs/current/hadoop-auth/Configuration.html
>
>it is written
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>but the class is not found.
>
>I have replaced by
><filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter<
>/filter-class>
>
>
>2 - In core-site.xml, I have added :
>---------------------------------------------
>
><property>
> <name>hadoop.http.filter.initializers</name>
><value>org.apache.hadoop.http.lib.StaticUserWebFilter,org.apache.hadoop.se
>curity.authentication.server.AuthenticationFilter
></value>
></property>
>
>
>When I launch the nodename, I have this error :
>
>java.lang.ClassCastException:
>org.apache.hadoop.security.authentication.server.AuthenticationFilter
>cannot be cast to org.apache.hadoop.http.FilterInitializer
>
>
>Any idea to solve that ?
>
>Thank you to all in advance.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
>For additional commands, e-mail: user-help@hadoop.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org