hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yu Gao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9446) Support Kerberos HTTP SPNEGO authentication for non-SUN JDK
Date Tue, 02 Apr 2013 02:07:17 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13619441#comment-13619441
] 

Yu Gao commented on HADOOP-9446:
--------------------------------

The branch 1 patch also includes patches from HADOOP-9283 and HADOOP-9305 which fixed UGI
for IBM JDK only in branch 2.

To test the patches, one needs to use IBM JDK. I tested them by starting Hadoop daemons with
security enabled (including Kerberos HTTP SPNEGO authentication), and verified that SecondaryNameNode
was successfully checkpointing. Also tested accessing NN/DN/SNN/JT/TT Web UI, and accessing
HDFS/submitting jobs through Hadoop client. All worked as expected.

Attached a simple standalone testcase which can verify the patches with IBM JDK as well.
                
> Support Kerberos HTTP SPNEGO authentication for non-SUN JDK
> -----------------------------------------------------------
>
>                 Key: HADOOP-9446
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9446
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.1.1, 2.0.2-alpha
>            Reporter: Yu Gao
>            Assignee: Yu Gao
>         Attachments: HADOOP-9446-branch-1.patch, HADOOP-9446-branch-2.patch, HADOOP-9446.patch
>
>
> Class KerberosAuthenticator and KerberosAuthenticationHandler currently only support
running with SUN JDK when Kerberos is enabled. In order to support  alternative JDKs like
IBM JDK which has different options supported by Krb5LoginModule and different login module
classes, the HTTP Kerberos authentication classes need to be changed.
> In addition, NT_GSS_KRB5_PRINCIPAL, which is used in KerberosAuthenticator to get the
corresponding oid instance, is a field defined in SUN JDK, but not in IBM JDK.
> This JIRA is to fix the existing problems and add support for Kerberos HTTP SPNEGO authentication
with non-SUN JDK.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message