hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7119) add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles
Date Thu, 18 Aug 2011 08:23:28 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13086876#comment-13086876

Aaron T. Myers commented on HADOOP-7119:

Patch looks pretty good, Alejandro. I think it's very close to being able to be committed.

Awesome that you included tests which work if a Kerberos environment is available. Thanks
for doing that. I ran all the tests (with and without Kerberos present) and they all passed.
I also ran all of the maven goals and they all worked flawlessly. I also reviewed all of the
code (though none of the code to build the project). The following are the comments from that

# In KerberosAuthenticationHandler.authenticate, you determine the user's name by always taking
the first component of the fully Kerberos principal name. Hadoop (and MIT Kerberos) allow
for one to configure arbitrary rules to perform this mapping. In order to be compatible with
Hadoop in this respect, I would think that Alfredo would also need to perform this mapping.
# README.txt has a few errors (documentation location, user mailing list.)
# Typo in BuildingIt.apt.vm: "can be used to change de default"
# In BuildingIt.apt.vm, you seem to indicate that if one changes the default values for alfredo.test.ker
beros.server.principal or alfredo.test.kerberos.client.principal that one must include the
realm part of
 the principal name. In fact, doing so will cause the tests to fail.
# In all of the documentation you include the author's name. The Hadoop projects deliberately
do not inc
lude author tags in the source.

While I was going through the code I found a number of little things (typos mostly, and style
stuff) that could use clean-up. I'll attach a patch shortly which should be applied on top
of HADOOP-7119v4.patch. This seemed like the easiest way for you to review those changes.

> add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles
> ----------------------------------------------------------------------------------
>                 Key: HADOOP-7119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7119
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 0.23.0
>         Environment: all
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-7119v3.patch, HADOOP-7119v4-amendment.patch, HADOOP-7119v4.patch,
ha-common-01.patch, ha-common-02.patch, ha-commons.patch
> Currently the JT/NN/DN/TT web-consoles don't support any form of authentication.
> Hadoop RPC API already supports Kerberos authentication.
> Kerberos enables single sign-on.
> Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP SPNEGO.
> Adding support for Kerberos HTTP SPNEGO to Hadoop web consoles would provide a unified
authentication mechanism and single sign-on for Hadoop web UI and Hadoop RPC.

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message