You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Jian He (JIRA)" <ji...@apache.org> on 2015/06/26 04:39:04 UTC

[jira] [Comment Edited] (YARN-3855) If acl is enabled and http.authentication.type is simple, user cannot view the app page in default setup

    [ https://issues.apache.org/jira/browse/YARN-3855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14602295#comment-14602295 ] 

Jian He edited comment on YARN-3855 at 6/26/15 2:38 AM:
--------------------------------------------------------

bq. This is a misconfiguration, plain and simple.
we do see some use cases that people want their cluster secure but not the web UI. people do not bother doing kinit before launching the browser. If cluster is setup in this particular way which is by default, there's no way to browse the applications other than restarting the daemon and change configs which is too inconvenient. Given that the filter is already always added in non-secure mode, I think it's fine to add the filter when http is simple, which is what ATS is currently doing.


was (Author: jianhe):
bq. This is a misconfiguration, plain and simple.
we do see some use cases that people want their cluster secure but not the web UI. people do not bother doing kinit before launching the browser. If cluster is setup in this particular way which is by default, there's no way to browse the applications other than restarting the daemon and change configs which is too inconvenient. Given that the filter is also added in non-secure mode, I think it's also fine to add in secure mode.

> If acl is enabled and http.authentication.type is simple, user cannot view the app page in default setup
> --------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-3855
>                 URL: https://issues.apache.org/jira/browse/YARN-3855
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3855.1.patch
>
>
> If all ACLs (admin acl, queue-admin-acls etc.) are setup properly and "http.authentication.type" is 'simple' in secure mode , user cannot view the application web page in default setup because the incoming user is always considered as "dr.who" . User also cannot pass "user.name" to indicate the incoming user name, because AuthenticationFilterInitializer is not enabled by default. This is inconvenient from user's perspective. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)