HDDS-1901. Fix Ozone HTTP WebConsole Authentication. Contributed by Xiaoyu Yao. (#1228)
This commit is contained in:
parent
7c2042a44d
commit
a63023f261
|
@ -365,7 +365,7 @@ public final class ScmConfigKeys {
|
||||||
"hdds.scm.http.kerberos.principal";
|
"hdds.scm.http.kerberos.principal";
|
||||||
public static final String
|
public static final String
|
||||||
HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY =
|
HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY =
|
||||||
"hdds.scm.http.kerberos.keytab.file";
|
"hdds.scm.http.kerberos.keytab";
|
||||||
|
|
||||||
// Network topology
|
// Network topology
|
||||||
public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE =
|
public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE =
|
||||||
|
|
|
@ -1819,7 +1819,7 @@
|
||||||
<value>HTTP/_HOST@EXAMPLE.COM</value>
|
<value>HTTP/_HOST@EXAMPLE.COM</value>
|
||||||
</property>
|
</property>
|
||||||
<property>
|
<property>
|
||||||
<name>hdds.scm.http.kerberos.keytab.file</name>
|
<name>hdds.scm.http.kerberos.keytab</name>
|
||||||
<value>/etc/security/keytabs/HTTP.keytab</value>
|
<value>/etc/security/keytabs/HTTP.keytab</value>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -1831,7 +1831,7 @@
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
<property>
|
<property>
|
||||||
<name>ozone.om.http.kerberos.keytab.file</name>
|
<name>ozone.om.http.kerberos.keytab</name>
|
||||||
<value>/etc/security/keytabs/HTTP.keytab</value>
|
<value>/etc/security/keytabs/HTTP.keytab</value>
|
||||||
<description>
|
<description>
|
||||||
OzoneManager http server kerberos keytab.
|
OzoneManager http server kerberos keytab.
|
||||||
|
|
|
@ -102,7 +102,7 @@ All these settings should be made in ozone-site.xml.
|
||||||
<td>SCM http server service principal.</td>
|
<td>SCM http server service principal.</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<th scope="row">hdds.scm.http.kerberos.keytab.file</th>
|
<th scope="row">hdds.scm.http.kerberos.keytab</th>
|
||||||
<td>The keytab file used by SCM http server to login as its service principal.</td>
|
<td>The keytab file used by SCM http server to login as its service principal.</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
|
@ -139,7 +139,7 @@ All these settings should be made in ozone-site.xml.
|
||||||
<td>Ozone Manager http server service principal.</td>
|
<td>Ozone Manager http server service principal.</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<th scope="row"> ozone.om.http.kerberos.keytab.file</th>
|
<th scope="row">ozone.om.http.kerberos.keytab</th>
|
||||||
<td>The keytab file used by OM http server to login as its service principal.</td>
|
<td>The keytab file used by OM http server to login as its service principal.</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
|
@ -213,7 +213,7 @@ public final class OMConfigKeys {
|
||||||
public static final String OZONE_OM_KERBEROS_PRINCIPAL_KEY = "ozone.om"
|
public static final String OZONE_OM_KERBEROS_PRINCIPAL_KEY = "ozone.om"
|
||||||
+ ".kerberos.principal";
|
+ ".kerberos.principal";
|
||||||
public static final String OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE =
|
public static final String OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE =
|
||||||
"ozone.om.http.kerberos.keytab.file";
|
"ozone.om.http.kerberos.keytab";
|
||||||
public static final String OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY
|
public static final String OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY
|
||||||
= "ozone.om.http.kerberos.principal";
|
= "ozone.om.http.kerberos.principal";
|
||||||
// Delegation token related keys
|
// Delegation token related keys
|
||||||
|
|
|
@ -35,9 +35,9 @@ OZONE_SITE.XML_ozone.administrators=*
|
||||||
|
|
||||||
OZONE-SITE.XML_ozone.security.enabled=true
|
OZONE-SITE.XML_ozone.security.enabled=true
|
||||||
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
|
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
|
||||||
OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
|
OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
|
||||||
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
|
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
|
||||||
OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
|
OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
|
||||||
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
|
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
|
||||||
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
|
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
|
||||||
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
|
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
|
||||||
|
|
|
@ -43,9 +43,9 @@ OZONE-SITE.XML_ozone.acl.enabled=true
|
||||||
OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer
|
OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer
|
||||||
OZONE-SITE.XML_ozone.administrators=*
|
OZONE-SITE.XML_ozone.administrators=*
|
||||||
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
|
OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
|
||||||
OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
|
OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
|
||||||
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
|
OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
|
||||||
OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
|
OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
|
||||||
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
|
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
|
||||||
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
|
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
|
||||||
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
|
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
|
||||||
|
@ -58,6 +58,21 @@ CORE-SITE.XML_hadoop.security.authentication=kerberos
|
||||||
CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1@$0](.*)s/.*/root/
|
CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1@$0](.*)s/.*/root/
|
||||||
CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms
|
CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms
|
||||||
|
|
||||||
|
CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
|
||||||
|
CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
|
||||||
|
CORE-SITE.XML_hadoop.http.authentication.type=kerberos
|
||||||
|
CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
|
||||||
|
CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
|
||||||
|
CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
|
||||||
|
|
||||||
|
LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
|
||||||
|
.AuthenticationFilter=DEBUG
|
||||||
|
LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
|
||||||
|
.KerberosAuthenticationHandler=TRACE
|
||||||
|
LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.http.HttpServer2=TRACE
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
CORE-SITE.XML_hadoop.security.authorization=true
|
CORE-SITE.XML_hadoop.security.authorization=true
|
||||||
HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=*
|
HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=*
|
||||||
HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=*
|
HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=*
|
||||||
|
|
Loading…
Reference in New Issue