You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Zhijie Shen (JIRA)" <ji...@apache.org> on 2014/07/14 17:55:05 UTC
[jira] [Commented] (YARN-2247) Allow RM web services users to
authenticate using delegation tokens
[ https://issues.apache.org/jira/browse/YARN-2247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14060780#comment-14060780 ]
Zhijie Shen commented on YARN-2247:
-----------------------------------
[~vvasudev], thanks for your work on this patch, which looks good to me overall.
Some meta-comments:
1. Like YARN-2228, you may want to always use YarnAuthenticationFilterInitializer to load the auth filter. When the security is enabled, use kerberos auth handler. Otherwise, use pseudo auth handler instead.
2. IMHO, the configs for different components' http authentication are better to have different prefix, such that we can easily make different configs for each component in a single config file. We have do the similar thing for YARN components' RPC kerberos authentication.
3. The authentication thing has duplicated those of httpfs and timline sever again, which is fine now. However, after HADOOP-10771, RM may be able to reuse the dt+kerberos auth filter in hadoop-auth as well. We need to file a ticket to track it.
4. With auth filter working, the other get APIs can also be benefited, such as getApp(s). We can do these actions with right users. Again, let's file a follow up ticket to deal with them.
Other details:
1. RM_WEBAPP_USE_YARN_AUTH_FILTER -> RM_WEBAPP_AUTH_FILTER and use-yarn-auth-filter -> auth-filter.enabled? And if the component is not RM only, should we not start with RM_ prefix, but use YARN_ prefix instead? Last but not least, if we always execute YarnAuthenticationFilterInitializer, the flag is not required then.
{code}
+ public static final String RM_WEBAPP_USE_YARN_AUTH_FILTER =
+ RM_PREFIX + "webapp.use-yarn-auth-filter";
{code}
2. Only this constructor will be called, won't it? Do we still need the other constructors?
{code}
+ public YarnAuthenticationFilterInitializer() {
+ this("hadoop.http.authentication.");
+ }
{code}
3. The authentication filter class actually accept null signature secret file, hence I think we should allow the null case
{code}
+ if (signatureSecretFile == null) {
+ throw new RuntimeException("Undefined property: "
+ + signatureSecretFileProperty);
+ }
{code}
> Allow RM web services users to authenticate using delegation tokens
> -------------------------------------------------------------------
>
> Key: YARN-2247
> URL: https://issues.apache.org/jira/browse/YARN-2247
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Varun Vasudev
> Assignee: Varun Vasudev
> Attachments: apache-yarn-2247.0.patch
>
>
> The RM webapp should allow users to authenticate using delegation tokens to maintain parity with RPC.
--
This message was sent by Atlassian JIRA
(v6.2#6252)