HDDS-1901. Fix Ozone HTTP WebConsole Authentication. Contributed by Xiaoyu Yao. (#1228)

This commit is contained in:
Xiaoyu Yao 2019-08-06 12:07:53 -07:00 committed by GitHub
parent 7c2042a44d
commit a63023f261
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 26 additions and 11 deletions

View File

@ -365,7 +365,7 @@ public final class ScmConfigKeys {
"hdds.scm.http.kerberos.principal"; "hdds.scm.http.kerberos.principal";
public static final String public static final String
HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY = HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY =
"hdds.scm.http.kerberos.keytab.file"; "hdds.scm.http.kerberos.keytab";
// Network topology // Network topology
public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE = public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE =

View File

@ -1819,7 +1819,7 @@
<value>HTTP/_HOST@EXAMPLE.COM</value> <value>HTTP/_HOST@EXAMPLE.COM</value>
</property> </property>
<property> <property>
<name>hdds.scm.http.kerberos.keytab.file</name> <name>hdds.scm.http.kerberos.keytab</name>
<value>/etc/security/keytabs/HTTP.keytab</value> <value>/etc/security/keytabs/HTTP.keytab</value>
</property> </property>
@ -1831,7 +1831,7 @@
</description> </description>
</property> </property>
<property> <property>
<name>ozone.om.http.kerberos.keytab.file</name> <name>ozone.om.http.kerberos.keytab</name>
<value>/etc/security/keytabs/HTTP.keytab</value> <value>/etc/security/keytabs/HTTP.keytab</value>
<description> <description>
OzoneManager http server kerberos keytab. OzoneManager http server kerberos keytab.

View File

@ -102,7 +102,7 @@ All these settings should be made in ozone-site.xml.
<td>SCM http server service principal.</td> <td>SCM http server service principal.</td>
</tr> </tr>
<tr> <tr>
<th scope="row">hdds.scm.http.kerberos.keytab.file</th> <th scope="row">hdds.scm.http.kerberos.keytab</th>
<td>The keytab file used by SCM http server to login as its service principal.</td> <td>The keytab file used by SCM http server to login as its service principal.</td>
</tr> </tr>
</tbody> </tbody>
@ -126,7 +126,7 @@ All these settings should be made in ozone-site.xml.
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<th scope="row">ozone.om.kerberos.principal </th> <th scope="row">ozone.om.kerberos.principal</th>
<td>The OzoneManager service principal. e.g. om/_HOST@REALM <td>The OzoneManager service principal. e.g. om/_HOST@REALM
.COM</td> .COM</td>
</tr> </tr>
@ -139,7 +139,7 @@ All these settings should be made in ozone-site.xml.
<td>Ozone Manager http server service principal.</td> <td>Ozone Manager http server service principal.</td>
</tr> </tr>
<tr> <tr>
<th scope="row"> ozone.om.http.kerberos.keytab.file</th> <th scope="row">ozone.om.http.kerberos.keytab</th>
<td>The keytab file used by OM http server to login as its service principal.</td> <td>The keytab file used by OM http server to login as its service principal.</td>
</tr> </tr>
</tbody> </tbody>

View File

@ -213,7 +213,7 @@ private OMConfigKeys() {
public static final String OZONE_OM_KERBEROS_PRINCIPAL_KEY = "ozone.om" public static final String OZONE_OM_KERBEROS_PRINCIPAL_KEY = "ozone.om"
+ ".kerberos.principal"; + ".kerberos.principal";
public static final String OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE = public static final String OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE =
"ozone.om.http.kerberos.keytab.file"; "ozone.om.http.kerberos.keytab";
public static final String OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY public static final String OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY
= "ozone.om.http.kerberos.principal"; = "ozone.om.http.kerberos.principal";
// Delegation token related keys // Delegation token related keys

View File

@ -35,9 +35,9 @@ OZONE_SITE.XML_ozone.administrators=*
OZONE-SITE.XML_ozone.security.enabled=true OZONE-SITE.XML_ozone.security.enabled=true
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM

View File

@ -43,9 +43,9 @@ OZONE-SITE.XML_ozone.acl.enabled=true
OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer
OZONE-SITE.XML_ozone.administrators=* OZONE-SITE.XML_ozone.administrators=*
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
@ -58,6 +58,21 @@ CORE-SITE.XML_hadoop.security.authentication=kerberos
CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1@$0](.*)s/.*/root/ CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1@$0](.*)s/.*/root/
CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms
CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
CORE-SITE.XML_hadoop.http.authentication.type=kerberos
CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
.AuthenticationFilter=DEBUG
LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
.KerberosAuthenticationHandler=TRACE
LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.http.HttpServer2=TRACE
CORE-SITE.XML_hadoop.security.authorization=true CORE-SITE.XML_hadoop.security.authorization=true
HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=* HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=*
HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=* HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=*