You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by xy...@apache.org on 2019/08/06 19:29:42 UTC
[hadoop] branch ozone-0.4.1 updated: HDDS-1901. Fix Ozone HTTP
WebConsole Authentication. Contributed by Xiaoyu Yao. (#1228)
This is an automated email from the ASF dual-hosted git repository.
xyao pushed a commit to branch ozone-0.4.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/ozone-0.4.1 by this push:
new 8544df3 HDDS-1901. Fix Ozone HTTP WebConsole Authentication. Contributed by Xiaoyu Yao. (#1228)
8544df3 is described below
commit 8544df3ba3e811c0cc5e526623d596571840eef0
Author: Xiaoyu Yao <xy...@apache.org>
AuthorDate: Tue Aug 6 12:07:53 2019 -0700
HDDS-1901. Fix Ozone HTTP WebConsole Authentication. Contributed by Xiaoyu Yao. (#1228)
(cherry picked from commit a63023f2610438b9a142db3feb14236fe188b42d)
---
.../org/apache/hadoop/hdds/scm/ScmConfigKeys.java | 2 +-
.../common/src/main/resources/ozone-default.xml | 4 ++--
hadoop-hdds/docs/content/security/SecureOzone.md | 6 +++---
.../java/org/apache/hadoop/ozone/om/OMConfigKeys.java | 2 +-
.../src/main/compose/ozonesecure-mr/docker-config | 4 ++--
.../dist/src/main/compose/ozonesecure/docker-config | 19 +++++++++++++++++--
6 files changed, 26 insertions(+), 11 deletions(-)
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java
index 1f194d3..8d9facf 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java
@@ -357,7 +357,7 @@ public final class ScmConfigKeys {
"hdds.scm.http.kerberos.principal";
public static final String
HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY =
- "hdds.scm.http.kerberos.keytab.file";
+ "hdds.scm.http.kerberos.keytab";
// Network topology
public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE =
diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml
index b2f820b..0dc9899 100644
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -1810,7 +1810,7 @@
<value>HTTP/_HOST@EXAMPLE.COM</value>
</property>
<property>
- <name>hdds.scm.http.kerberos.keytab.file</name>
+ <name>hdds.scm.http.kerberos.keytab</name>
<value>/etc/security/keytabs/HTTP.keytab</value>
</property>
@@ -1822,7 +1822,7 @@
</description>
</property>
<property>
- <name>ozone.om.http.kerberos.keytab.file</name>
+ <name>ozone.om.http.kerberos.keytab</name>
<value>/etc/security/keytabs/HTTP.keytab</value>
<description>
OzoneManager http server kerberos keytab.
diff --git a/hadoop-hdds/docs/content/security/SecureOzone.md b/hadoop-hdds/docs/content/security/SecureOzone.md
index 73da57c..cf6668b 100644
--- a/hadoop-hdds/docs/content/security/SecureOzone.md
+++ b/hadoop-hdds/docs/content/security/SecureOzone.md
@@ -102,7 +102,7 @@ All these settings should be made in ozone-site.xml.
<td>SCM http server service principal.</td>
</tr>
<tr>
- <th scope="row">hdds.scm.http.kerberos.keytab.file</th>
+ <th scope="row">hdds.scm.http.kerberos.keytab</th>
<td>The keytab file used by SCM http server to login as its service principal.</td>
</tr>
</tbody>
@@ -126,7 +126,7 @@ All these settings should be made in ozone-site.xml.
</thead>
<tbody>
<tr>
- <th scope="row">ozone.om.kerberos.principal </th>
+ <th scope="row">ozone.om.kerberos.principal</th>
<td>The OzoneManager service principal. e.g. om/_HOST@REALM
.COM</td>
</tr>
@@ -139,7 +139,7 @@ All these settings should be made in ozone-site.xml.
<td>Ozone Manager http server service principal.</td>
</tr>
<tr>
- <th scope="row"> ozone.om.http.kerberos.keytab.file</th>
+ <th scope="row">ozone.om.http.kerberos.keytab</th>
<td>The keytab file used by OM http server to login as its service principal.</td>
</tr>
</tbody>
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
index 35431fa..dcb9b5c 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java
@@ -213,7 +213,7 @@ public final class OMConfigKeys {
public static final String OZONE_OM_KERBEROS_PRINCIPAL_KEY = "ozone.om"
+ ".kerberos.principal";
public static final String OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE =
- "ozone.om.http.kerberos.keytab.file";
+ "ozone.om.http.kerberos.keytab";
public static final String OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY
= "ozone.om.http.kerberos.principal";
// Delegation token related keys
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
index e427185..6565eef 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
@@ -35,9 +35,9 @@ OZONE_SITE.XML_ozone.administrators=*
OZONE-SITE.XML_ozone.security.enabled=true
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
-OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
-OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
index 7e9ed82..6477e33 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
@@ -39,9 +39,9 @@ OZONE-SITE.XML_ozone.acl.enabled=true
OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer
OZONE-SITE.XML_ozone.administrators=*
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
-OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
-OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
@@ -54,6 +54,21 @@ CORE-SITE.XML_hadoop.security.authentication=kerberos
CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1@$0](.*)s/.*/root/
CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms
+CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
+CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
+CORE-SITE.XML_hadoop.http.authentication.type=kerberos
+CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
+
+LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
+.AuthenticationFilter=DEBUG
+LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
+.KerberosAuthenticationHandler=TRACE
+LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.http.HttpServer2=TRACE
+
+
+
CORE-SITE.XML_hadoop.security.authorization=true
HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=*
HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=*
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org