hadoop/hadoop-auth/Configuration.html

1042 lines
50 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
| Generated by Apache Maven Doxia at 2023-03-27
| Rendered using Apache Maven Stylus Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Hadoop Auth &#x2013; Hadoop Auth, Java HTTP SPNEGO - Server Side Configuration</title>
<style type="text/css" media="all">
@import url("./css/maven-base.css");
@import url("./css/maven-theme.css");
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
<meta name="Date-Revision-yyyymmdd" content="20230327" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body class="composite">
<div id="banner">
<a href="http://hadoop.apache.org/" id="bannerLeft">
<img src="http://hadoop.apache.org/images/hadoop-logo.jpg" alt="" />
</a>
<a href="http://www.apache.org/" id="bannerRight">
<img src="http://www.apache.org/images/asf_logo_wide.png" alt="" />
</a>
<div class="clear">
<hr/>
</div>
</div>
<div id="breadcrumbs">
<div class="xright"> <a href="http://wiki.apache.org/hadoop" class="externalLink">Wiki</a>
|
<a href="https://gitbox.apache.org/repos/asf/hadoop.git" class="externalLink">git</a>
|
<a href="http://hadoop.apache.org/" class="externalLink">Apache Hadoop</a>
&nbsp;| Last Published: 2023-03-27
&nbsp;| Version: 3.4.0-SNAPSHOT
</div>
<div class="clear">
<hr/>
</div>
</div>
<div id="leftColumn">
<div id="navcolumn">
<h5>General</h5>
<ul>
<li class="none">
<a href="../index.html">Overview</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/SingleCluster.html">Single Node Setup</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/ClusterSetup.html">Cluster Setup</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/CommandsManual.html">Commands Reference</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/FileSystemShell.html">FileSystem Shell</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/Compatibility.html">Compatibility Specification</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/DownstreamDev.html">Downstream Developer's Guide</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/AdminCompatibilityGuide.html">Admin Compatibility Guide</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/InterfaceClassification.html">Interface Classification</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/filesystem/index.html">FileSystem Specification</a>
</li>
</ul>
<h5>Common</h5>
<ul>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/CLIMiniCluster.html">CLI Mini Cluster</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/FairCallQueue.html">Fair Call Queue</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/NativeLibraries.html">Native Libraries</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/Superusers.html">Proxy User</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/RackAwareness.html">Rack Awareness</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/SecureMode.html">Secure Mode</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/ServiceLevelAuth.html">Service Level Authorization</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/HttpAuthentication.html">HTTP Authentication</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/CredentialProviderAPI.html">Credential Provider API</a>
</li>
<li class="none">
<a href="../hadoop-kms/index.html">Hadoop KMS</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/Tracing.html">Tracing</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/UnixShellGuide.html">Unix Shell Guide</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/registry/index.html">Registry</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/AsyncProfilerServlet.html">Async Profiler</a>
</li>
</ul>
<h5>HDFS</h5>
<ul>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsDesign.html">Architecture</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsUserGuide.html">User Guide</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HDFSCommands.html">Commands Reference</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithQJM.html">NameNode HA With QJM</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithNFS.html">NameNode HA With NFS</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/ObserverNameNode.html">Observer NameNode</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/Federation.html">Federation</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/ViewFs.html">ViewFs</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/ViewFsOverloadScheme.html">ViewFsOverloadScheme</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsSnapshots.html">Snapshots</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsEditsViewer.html">Edits Viewer</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsImageViewer.html">Image Viewer</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html">Permissions and HDFS</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsQuotaAdminGuide.html">Quotas and HDFS</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/LibHdfs.html">libhdfs (C API)</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/WebHDFS.html">WebHDFS (REST API)</a>
</li>
<li class="none">
<a href="../hadoop-hdfs-httpfs/index.html">HttpFS</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/ShortCircuitLocalReads.html">Short Circuit Local Reads</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/CentralizedCacheManagement.html">Centralized Cache Management</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html">NFS Gateway</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsRollingUpgrade.html">Rolling Upgrade</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/ExtendedAttributes.html">Extended Attributes</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html">Transparent Encryption</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsMultihoming.html">Multihoming</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/ArchivalStorage.html">Storage Policies</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/MemoryStorage.html">Memory Storage Support</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/SLGUserGuide.html">Synthetic Load Generator</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html">Erasure Coding</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HDFSDiskbalancer.html">Disk Balancer</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsUpgradeDomain.html">Upgrade Domain</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsDataNodeAdminGuide.html">DataNode Admin</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs-rbf/HDFSRouterFederation.html">Router Federation</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/HdfsProvidedStorage.html">Provided Storage</a>
</li>
</ul>
<h5>MapReduce</h5>
<ul>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduceTutorial.html">Tutorial</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredCommands.html">Commands Reference</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduce_Compatibility_Hadoop1_Hadoop2.html">Compatibility with 1.x</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/EncryptedShuffle.html">Encrypted Shuffle</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/PluggableShuffleAndPluggableSort.html">Pluggable Shuffle/Sort</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/DistributedCacheDeploy.html">Distributed Cache Deploy</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/SharedCacheSupport.html">Support for YARN Shared Cache</a>
</li>
</ul>
<h5>MapReduce REST APIs</h5>
<ul>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredAppMasterRest.html">MR Application Master</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-hs/HistoryServerRest.html">MR History Server</a>
</li>
</ul>
<h5>YARN</h5>
<ul>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/YARN.html">Architecture</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/YarnCommands.html">Commands Reference</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html">Capacity Scheduler</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/FairScheduler.html">Fair Scheduler</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/ResourceManagerRestart.html">ResourceManager Restart</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/ResourceManagerHA.html">ResourceManager HA</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/ResourceModel.html">Resource Model</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/NodeLabel.html">Node Labels</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/NodeAttributes.html">Node Attributes</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/WebApplicationProxy.html">Web Application Proxy</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/TimelineServer.html">Timeline Server</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/TimelineServiceV2.html">Timeline Service V.2</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/WritingYarnApplications.html">Writing YARN Applications</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html">YARN Application Security</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/NodeManager.html">NodeManager</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/DockerContainers.html">Running Applications in Docker Containers</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/RuncContainers.html">Running Applications in runC Containers</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/NodeManagerCgroups.html">Using CGroups</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/SecureContainer.html">Secure Containers</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/ReservationSystem.html">Reservation System</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/GracefulDecommission.html">Graceful Decommission</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/OpportunisticContainers.html">Opportunistic Containers</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/Federation.html">YARN Federation</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/SharedCache.html">Shared Cache</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/UsingGpus.html">Using GPU</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/UsingFPGA.html">Using FPGA</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/PlacementConstraints.html">Placement Constraints</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/YarnUI2.html">YARN UI2</a>
</li>
</ul>
<h5>YARN REST APIs</h5>
<ul>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/WebServicesIntro.html">Introduction</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html">Resource Manager</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/NodeManagerRest.html">Node Manager</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/TimelineServer.html#Timeline_Server_REST_API_v1">Timeline Server</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/TimelineServiceV2.html#Timeline_Service_v.2_REST_API">Timeline Service V.2</a>
</li>
</ul>
<h5>YARN Service</h5>
<ul>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/yarn-service/Overview.html">Overview</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/yarn-service/QuickStart.html">QuickStart</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/yarn-service/Concepts.html">Concepts</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/yarn-service/YarnServiceAPI.html">Yarn Service API</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/yarn-service/ServiceDiscovery.html">Service Discovery</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-site/yarn-service/SystemServices.html">System Services</a>
</li>
</ul>
<h5>Hadoop Compatible File Systems</h5>
<ul>
<li class="none">
<a href="../hadoop-aliyun/tools/hadoop-aliyun/index.html">Aliyun OSS</a>
</li>
<li class="none">
<a href="../hadoop-aws/tools/hadoop-aws/index.html">Amazon S3</a>
</li>
<li class="none">
<a href="../hadoop-azure/index.html">Azure Blob Storage</a>
</li>
<li class="none">
<a href="../hadoop-azure-datalake/index.html">Azure Data Lake Storage</a>
</li>
<li class="none">
<a href="../hadoop-cos/cloud-storage/index.html">Tencent COS</a>
</li>
<li class="none">
<a href="../hadoop-huaweicloud/cloud-storage/index.html">Huaweicloud OBS</a>
</li>
</ul>
<h5>Auth</h5>
<ul>
<li class="none">
<a href="../hadoop-auth/index.html">Overview</a>
</li>
<li class="none">
<a href="../hadoop-auth/Examples.html">Examples</a>
</li>
<li class="none">
<a href="../hadoop-auth/Configuration.html">Configuration</a>
</li>
<li class="none">
<a href="../hadoop-auth/BuildingIt.html">Building</a>
</li>
</ul>
<h5>Tools</h5>
<ul>
<li class="none">
<a href="../hadoop-streaming/HadoopStreaming.html">Hadoop Streaming</a>
</li>
<li class="none">
<a href="../hadoop-archives/HadoopArchives.html">Hadoop Archives</a>
</li>
<li class="none">
<a href="../hadoop-archive-logs/HadoopArchiveLogs.html">Hadoop Archive Logs</a>
</li>
<li class="none">
<a href="../hadoop-distcp/DistCp.html">DistCp</a>
</li>
<li class="none">
<a href="../hadoop-federation-balance/HDFSFederationBalance.html">HDFS Federation Balance</a>
</li>
<li class="none">
<a href="../hadoop-gridmix/GridMix.html">GridMix</a>
</li>
<li class="none">
<a href="../hadoop-rumen/Rumen.html">Rumen</a>
</li>
<li class="none">
<a href="../hadoop-resourceestimator/ResourceEstimator.html">Resource Estimator Service</a>
</li>
<li class="none">
<a href="../hadoop-sls/SchedulerLoadSimulator.html">Scheduler Load Simulator</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/Benchmarking.html">Hadoop Benchmarking</a>
</li>
<li class="none">
<a href="../hadoop-dynamometer/Dynamometer.html">Dynamometer</a>
</li>
</ul>
<h5>Reference</h5>
<ul>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/release/">Changelog and Release Notes</a>
</li>
<li class="none">
<a href="../api/index.html">Java API docs</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/UnixShellAPI.html">Unix Shell API</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/Metrics.html">Metrics</a>
</li>
</ul>
<h5>Configuration</h5>
<ul>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/core-default.xml">core-default.xml</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs/hdfs-default.xml">hdfs-default.xml</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-hdfs-rbf/hdfs-rbf-default.xml">hdfs-rbf-default.xml</a>
</li>
<li class="none">
<a href="../hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml">mapred-default.xml</a>
</li>
<li class="none">
<a href="../hadoop-yarn/hadoop-yarn-common/yarn-default.xml">yarn-default.xml</a>
</li>
<li class="none">
<a href="../hadoop-kms/kms-default.html">kms-default.xml</a>
</li>
<li class="none">
<a href="../hadoop-hdfs-httpfs/httpfs-default.html">httpfs-default.xml</a>
</li>
<li class="none">
<a href="../hadoop-project-dist/hadoop-common/DeprecatedProperties.html">Deprecated Properties</a>
</li>
</ul>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
<img alt="Built by Maven" src="./images/logos/maven-feather.png"/>
</a>
</div>
</div>
<div id="bodyColumn">
<div id="contentBox">
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
<h1>Hadoop Auth, Java HTTP SPNEGO - Server Side Configuration</h1><section>
<h2><a name="Server_Side_Configuration_Setup"></a>Server Side Configuration Setup</h2>
<p>The AuthenticationFilter filter is Hadoop Auth&#x2019;s server side component.</p>
<p>This filter must be configured in front of all the web application resources that required authenticated requests. For example:</p>
<p>The Hadoop Auth and dependent JAR files must be in the web application classpath (commonly the <code>WEB-INF/lib</code> directory).</p>
<p>Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define the SLF4J API dependency but it does not define the dependency on a concrete logging implementation, this must be addded explicitly to the web application. For example, if the web applicationan uses Log4j, the SLF4J-LOG4J12 and LOG4J jar files must be part of the web application classpath as well as the Log4j configuration file.</p><section>
<h3><a name="Common_Configuration_parameters"></a>Common Configuration parameters</h3>
<ul>
<li>
<p><code>config.prefix</code>: If specified, all other configuration parameter names must start with the prefix. The default value is no prefix.</p>
</li>
<li>
<p><code>[PREFIX.]type</code>: the authentication type keyword (<code>simple</code> or <br />
<code>kerberos</code>) or a Authentication handler implementation.</p>
</li>
<li>
<p><code>[PREFIX.]signature.secret.file</code>: When <code>signer.secret.provider</code> is set to <code>file</code>, this is the location of file including the secret used to sign the HTTP cookie.</p>
</li>
<li>
<p><code>[PREFIX.]token.validity</code>: The validity -in seconds- of the generated authentication token. The default value is <code>36000</code> seconds. This is also used for the rollover interval when <code>signer.secret.provider</code> is set to <code>random</code> or <code>zookeeper</code>.</p>
</li>
<li>
<p><code>[PREFIX.]cookie.domain</code>: domain to use for the HTTP cookie that stores the authentication token.</p>
</li>
<li>
<p><code>[PREFIX.]cookie.path</code>: path to use for the HTTP cookie that stores the authentication token.</p>
</li>
<li>
<p><code>signer.secret.provider</code>: indicates the name of the SignerSecretProvider class to use. Possible values are: <code>file</code>, <code>random</code>, <code>zookeeper</code>, or a classname. If not specified, the <code>file</code> implementation will be used; and failing that, the <code>random</code> implementation will be used. If &#x201c;file&#x201d; is to be used, one need to specify <code>signature.secret.file</code> and point to the secret file.</p>
</li>
</ul></section><section>
<h3><a name="Kerberos_Configuration"></a>Kerberos Configuration</h3>
<p><b>IMPORTANT</b>: A KDC must be configured and running.</p>
<p>To use Kerberos SPNEGO as the authentication mechanism, the authentication filter must be configured with the following init parameters:</p>
<ul>
<li>
<p><code>[PREFIX.]type</code>: the keyword <code>kerberos</code>.</p>
</li>
<li>
<p><code>[PREFIX.]kerberos.principal</code>: The web-application Kerberos principal name. The Kerberos principal name must start with <code>HTTP/...</code>. For example: <code>HTTP/localhost@LOCALHOST</code>. There is no default value.</p>
</li>
<li>
<p><code>[PREFIX.]kerberos.keytab</code>: The path to the keytab file containing the credentials for the kerberos principal. For example: <code>/Users/tucu/tucu.keytab</code>. There is no default value.</p>
</li>
</ul>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;filter-name&gt;kerberosFilter&lt;/filter-name&gt;
&lt;filter-class&gt;org.apache.hadoop.security.authentication.server.AuthenticationFilter&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;type&lt;/param-name&gt;
&lt;param-value&gt;kerberos&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;token.validity&lt;/param-name&gt;
&lt;param-value&gt;30&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.domain&lt;/param-name&gt;
&lt;param-value&gt;.foo.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.path&lt;/param-name&gt;
&lt;param-value&gt;/&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;kerberos.principal&lt;/param-name&gt;
&lt;param-value&gt;HTTP/localhost@LOCALHOST&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;kerberos.keytab&lt;/param-name&gt;
&lt;param-value&gt;/tmp/auth.keytab&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;kerberosFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/kerberos/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
...
&lt;/web-app&gt;
</pre></div></div>
</section><section>
<h3><a name="Pseudo.2FSimple_Configuration"></a>Pseudo/Simple Configuration</h3>
<p>To use Pseudo/Simple as the authentication mechanism (trusting the value of the query string parameter &#x2018;user.name&#x2019;), the authentication filter must be configured with the following init parameters:</p>
<ul>
<li>
<p><code>[PREFIX.]type</code>: the keyword <code>simple</code>.</p>
</li>
<li>
<p><code>[PREFIX.]simple.anonymous.allowed</code>: is a boolean parameter that indicates if anonymous requests are allowed or not. The default value is <code>false</code>.</p>
</li>
</ul>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;filter-name&gt;simpleFilter&lt;/filter-name&gt;
&lt;filter-class&gt;org.apache.hadoop.security.authentication.server.AuthenticationFilter&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;type&lt;/param-name&gt;
&lt;param-value&gt;simple&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;token.validity&lt;/param-name&gt;
&lt;param-value&gt;30&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.domain&lt;/param-name&gt;
&lt;param-value&gt;.foo.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.path&lt;/param-name&gt;
&lt;param-value&gt;/&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;simple.anonymous.allowed&lt;/param-name&gt;
&lt;param-value&gt;false&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;simpleFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/simple/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
...
&lt;/web-app&gt;
</pre></div></div>
</section><section>
<h3><a name="AltKerberos_Configuration"></a>AltKerberos Configuration</h3>
<p><b>IMPORTANT</b>: A KDC must be configured and running.</p>
<p>The AltKerberos authentication mechanism is a partially implemented derivative of the Kerberos SPNEGO authentication mechanism which allows a &#x201c;mixed&#x201d; form of authentication where Kerberos SPNEGO is used by non-browsers while an alternate form of authentication (to be implemented by the user) is used for browsers. To use AltKerberos as the authentication mechanism (besides providing an implementation), the authentication filter must be configured with the following init parameters, in addition to the previously mentioned Kerberos SPNEGO ones:</p>
<ul>
<li>
<p><code>[PREFIX.]type</code>: the full class name of the implementation of AltKerberosAuthenticationHandler to use.</p>
</li>
<li>
<p><code>[PREFIX.]alt-kerberos.non-browser.user-agents</code>: a comma-separated list of which user-agents should be considered non-browsers.</p>
</li>
</ul>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;filter-name&gt;kerberosFilter&lt;/filter-name&gt;
&lt;filter-class&gt;org.apache.hadoop.security.authentication.server.AuthenticationFilter&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;type&lt;/param-name&gt;
&lt;param-value&gt;org.my.subclass.of.AltKerberosAuthenticationHandler&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;alt-kerberos.non-browser.user-agents&lt;/param-name&gt;
&lt;param-value&gt;java,curl,wget,perl&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;token.validity&lt;/param-name&gt;
&lt;param-value&gt;30&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.domain&lt;/param-name&gt;
&lt;param-value&gt;.foo.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.path&lt;/param-name&gt;
&lt;param-value&gt;/&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;kerberos.principal&lt;/param-name&gt;
&lt;param-value&gt;HTTP/localhost@LOCALHOST&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;kerberos.keytab&lt;/param-name&gt;
&lt;param-value&gt;/tmp/auth.keytab&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;kerberosFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/kerberos/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
...
&lt;/web-app&gt;
</pre></div></div>
</section><section>
<h3><a name="LDAP_Configuration"></a>LDAP Configuration</h3>
<p><b>IMPORTANT</b>: A LDAP server must be configured and running. When TLS is enabled for communication with LDAP server (either via ldaps scheme or &#x2018;start TLS&#x2019; extension), configure the public certificate of the LDAP server in the local truststore.</p>
<p>The LDAP authentication mechanism uses HTTP Basic authentication scheme to verify user specified credentials against a configured LDAP (or Active Directory) server. The authentication filter must be configured with the following init parameters:</p>
<ul>
<li>
<p><code>[PREFIX.]type</code>: The keyword <code>ldap</code>.</p>
</li>
<li>
<p><code>[PREFIX.]ldap.providerurl</code>: The url of the LDAP server.</p>
</li>
<li>
<p><code>[PREFIX.]ldap.basedn</code>: The base distinguished name (DN) to be used with the LDAP server. This value is appended to the provided user id for authentication purpose. This property is not useful in case of Active Directory server.</p>
</li>
<li>
<p><code>[PREFIX.]ldap.binddomain</code>: The LDAP bind domain value to be used with the LDAP server. This property is optional and useful only in case of Active Directory server (e.g. example.com).</p>
</li>
<li>
<p><code>[PREFIX.]ldap.enablestarttls</code>: A boolean value used to define if the LDAP server supports &#x2018;StartTLS&#x2019; extension.</p>
</li>
</ul>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;filter-name&gt;authFilter&lt;/filter-name&gt;
&lt;filter-class&gt;org.apache.hadoop.security.authentication.server.AuthenticationFilter&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;type&lt;/param-name&gt;
&lt;param-value&gt;ldap&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;ldap.providerurl&lt;/param-name&gt;
&lt;param-value&gt;ldap://ldap-server-host:8920&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;ldap.basedn&lt;/param-name&gt;
&lt;param-value&gt;ou=users,dc=example,dc=com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;ldap.enablestarttls&lt;/param-name&gt;
&lt;param-value&gt;true&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;authFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/ldap/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
...
&lt;/web-app&gt;
</pre></div></div>
</section><section>
<h3><a name="Multi-scheme_Configuration"></a>Multi-scheme Configuration</h3>
<p><b>IMPORTANT</b>: This configuration supports multiple authentication mechanisms (e.g. kerberos, ldap etc.) together. Please refer to the documentation for each individual scheme for configuration related details.</p>
<p>The multi-scheme authentication mechanism supports multiple authentication mechanisms (e.g. kerberos, ldap etc.) by implementing a HTTP auth negotiation mechanism (Please refer to RFC-2616). For enabling each type of authentication mechanism (e.g. ldap) a corresponding authentication handler must be configured. Please refer to following configuration parameters:</p>
<ul>
<li>
<p><code>[PREFIX.]type</code>: The keyword <code>multi-scheme</code>.</p>
</li>
<li>
<p><code>[PREFIX.]multi-scheme-auth-handler.schemes</code>: A comma separated list of HTTP authentication mechanisms supported by this handler. It is a required parameter and it does not have a default value (e.g. multi-scheme-auth-handler.schemes=basic,negotiate).</p>
</li>
<li>
<p><code>[PREFIX.]multi-scheme-auth-handler.schemes.&lt;scheme-name&gt;.handler</code>: The authentication handler implementation to be used for the specified authentication scheme. It does not have a default value (e.g. multi-scheme-auth-handler.schemes.negotiate.handler=kerberos). Add this handler configuration for each of the scheme configured.</p>
</li>
</ul>
<p>In addition to these parameters, please specify the init parameters for each handler configured as well.</p>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;filter-name&gt;authFilter&lt;/filter-name&gt;
&lt;filter-class&gt;org.apache.hadoop.security.authentication.server.AuthenticationFilter&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;type&lt;/param-name&gt;
&lt;param-value&gt;multi-scheme&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;multi-scheme-auth-handler.schemes&lt;/param-name&gt;
&lt;param-value&gt;basic,negotiate&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;multi-scheme-auth-handler.basic.handler&lt;/param-name&gt;
&lt;param-value&gt;ldap&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;multi-scheme-auth-handler.negotiate.handler&lt;/param-name&gt;
&lt;param-value&gt;kerberos&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;ldap.providerurl&lt;/param-name&gt;
&lt;param-value&gt;ldap://ldap-server-host:8920&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;ldap.basedn&lt;/param-name&gt;
&lt;param-value&gt;ou=users,dc=example,dc=com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;ldap.enablestarttls&lt;/param-name&gt;
&lt;param-value&gt;true&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;token.validity&lt;/param-name&gt;
&lt;param-value&gt;30&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.domain&lt;/param-name&gt;
&lt;param-value&gt;.foo.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;cookie.path&lt;/param-name&gt;
&lt;param-value&gt;/&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;kerberos.principal&lt;/param-name&gt;
&lt;param-value&gt;HTTP/localhost@LOCALHOST&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;kerberos.keytab&lt;/param-name&gt;
&lt;param-value&gt;/tmp/auth.keytab&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;authFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/multi-scheme/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
...
&lt;/web-app&gt;
</pre></div></div>
</section><section>
<h3><a name="SignerSecretProvider_Configuration"></a>SignerSecretProvider Configuration</h3>
<p>The SignerSecretProvider is used to provide more advanced behaviors for the secret used for signing the HTTP Cookies.</p>
<p>These are the relevant configuration properties:</p>
<ul>
<li>
<p><code>signer.secret.provider</code>: indicates the name of the SignerSecretProvider class to use. Possible values are: &#x201c;file&#x201d;, &#x201c;random&#x201d;, &#x201c;zookeeper&#x201d;, or a classname. If not specified, the &#x201c;file&#x201d; implementation will be used; and failing that, the &#x201c;random&#x201d; implementation will be used. If &#x201c;file&#x201d; is to be used, one need to specify <code>signature.secret.file</code> and point to the secret file.</p>
</li>
<li>
<p><code>[PREFIX.]signature.secret.file</code>: When <code>signer.secret.provider</code> is set to <code>file</code> or not specified, this is the value for the secret used to sign the HTTP cookie.</p>
</li>
<li>
<p><code>[PREFIX.]token.validity</code>: The validity -in seconds- of the generated authentication token. The default value is <code>36000</code> seconds. This is also used for the rollover interval when <code>signer.secret.provider</code> is set to <code>random</code> or <code>zookeeper</code>.</p>
</li>
</ul>
<p>The following configuration properties are specific to the <code>zookeeper</code> implementation:</p>
<ul>
<li>
<p><code>signer.secret.provider.zookeeper.connection.string</code>: Indicates the ZooKeeper connection string to connect with. The default value is <code>localhost:2181</code></p>
</li>
<li>
<p><code>signer.secret.provider.zookeeper.path</code>: Indicates the ZooKeeper path to use for storing and retrieving the secrets. All servers that need to coordinate their secret should point to the same path</p>
</li>
<li>
<p><code>signer.secret.provider.zookeeper.auth.type</code>: Indicates the auth type to use. Supported values are <code>none</code> and <code>sasl</code>. The default value is <code>none</code>.</p>
</li>
<li>
<p><code>signer.secret.provider.zookeeper.kerberos.keytab</code>: Set this to the path with the Kerberos keytab file. This is only required if using Kerberos.</p>
</li>
<li>
<p><code>signer.secret.provider.zookeeper.kerberos.principal</code>: Set this to the Kerberos principal to use. This only required if using Kerberos.</p>
</li>
<li>
<p><code>signer.secret.provider.zookeeper.disconnect.on.shutdown</code>: Whether to close the ZooKeeper connection when the provider is shutdown. The default value is <code>true</code>. Only set this to <code>false</code> if a custom Curator client is being provided and the disconnection is being handled elsewhere.</p>
</li>
</ul>
<p>The following attribute in the ServletContext can also be set if desired: * <code>signer.secret.provider.zookeeper.curator.client</code>: A CuratorFramework client object can be passed here. If given, the &#x201c;zookeeper&#x201d; implementation will use this Curator client instead of creating its own, which is useful if you already have a Curator client or want more control over its configuration.</p>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;!-- AuthenticationHandler configs not shown --&gt;
&lt;init-param&gt;
&lt;param-name&gt;signer.secret.provider&lt;/param-name&gt;
&lt;param-value&gt;file&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;signature.secret.file&lt;/param-name&gt;
&lt;param-value&gt;/myapp/secret_file&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
...
&lt;/web-app&gt;
</pre></div></div>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;!-- AuthenticationHandler configs not shown --&gt;
&lt;init-param&gt;
&lt;param-name&gt;signer.secret.provider&lt;/param-name&gt;
&lt;param-value&gt;random&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;token.validity&lt;/param-name&gt;
&lt;param-value&gt;30&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
...
&lt;/web-app&gt;
</pre></div></div>
<p><b>Example</b>:</p>
<div class="source">
<div class="source">
<pre> &lt;web-app version=&quot;2.5&quot; xmlns=&quot;http://java.sun.com/xml/ns/javaee&quot;&gt;
...
&lt;filter&gt;
&lt;!-- AuthenticationHandler configs not shown --&gt;
&lt;init-param&gt;
&lt;param-name&gt;signer.secret.provider&lt;/param-name&gt;
&lt;param-value&gt;zookeeper&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;token.validity&lt;/param-name&gt;
&lt;param-value&gt;30&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;signer.secret.provider.zookeeper.connection.string&lt;/param-name&gt;
&lt;param-value&gt;zoo1:2181,zoo2:2181,zoo3:2181&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;signer.secret.provider.zookeeper.path&lt;/param-name&gt;
&lt;param-value&gt;/myapp/secrets&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;signer.secret.provider.zookeeper.kerberos.keytab&lt;/param-name&gt;
&lt;param-value&gt;/tmp/auth.keytab&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
&lt;param-name&gt;signer.secret.provider.zookeeper.kerberos.principal&lt;/param-name&gt;
&lt;param-value&gt;HTTP/localhost@LOCALHOST&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
...
&lt;/web-app&gt;
</pre></div></div></section></section>
</div>
</div>
<div class="clear">
<hr/>
</div>
<div id="footer">
<div class="xright">
&#169; 2008-2023
Apache Software Foundation
- <a href="http://maven.apache.org/privacy-policy.html">Privacy Policy</a>.
Apache Maven, Maven, Apache, the Apache feather logo, and the Apache Maven project logos are trademarks of The Apache Software Foundation.
</div>
<div class="clear">
<hr/>
</div>
</div>
</body>
</html>