Apex HTTP Authentication

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Apex HTTP Authentication

Thomas Weise-2
I'm working on a secure cluster that has authentication enabled for the YARN services.

In my Apex setup, I have:

 <property>

   <name>apex.attr.STRAM_HTTP_AUTHENTICATION</name>

   <value>DISABLE</value>

 </property>


"DISABLE - Disable authentication for web services."

That's not what happens though, it rather follows the Hadoop setting and fails because in this case Kerberos is enabled and the keytab not configured. 

I think that if a DISABLE option is advertised, then it should turn off the authentication that gets inherited from the node manager environment.

    Configuration config = getConfig();

    if (SecurityUtils.isStramWebSecurityEnabled()) {

       config = new Configuration(config);

       config.set("hadoop.http.filter.initializers", StramWSFilterInitializer.class.getCanonicalName());

     } else {

       if (!"simple".equals(config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP))) {

         LOG.warn("Found http authentication {} but authentication was disabled in Apex.",

             config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP));

         config = new Configuration(config);

         // turn off authentication for Apex as specified by user

         config.set(SecurityUtils.HADOOP_HTTP_AUTH_PROP, "simple");

       }

    }


It will also help tremendously when warning from jetty are not swallowed due to

    org.mortbay.log.Log.setLog(null);

Otherwise there is just a "handler failed" message and the user has no way to know what went wrong without hacking the Apex code?

Thanks,
Thomas


Reply | Threaded
Open this post in threaded view
|

Re: Apex HTTP Authentication

Pramod Immaneni
Looks like the disable behavior is a bug, could you file a JIRA?

Thanks

On Wed, Jul 12, 2017 at 9:36 PM, Thomas Weise <[hidden email]> wrote:
I'm working on a secure cluster that has authentication enabled for the YARN services.

In my Apex setup, I have:

 <property>

   <name>apex.attr.STRAM_HTTP_AUTHENTICATION</name>

   <value>DISABLE</value>

 </property>


"DISABLE - Disable authentication for web services."

That's not what happens though, it rather follows the Hadoop setting and fails because in this case Kerberos is enabled and the keytab not configured. 

I think that if a DISABLE option is advertised, then it should turn off the authentication that gets inherited from the node manager environment.

    Configuration config = getConfig();

    if (SecurityUtils.isStramWebSecurityEnabled()) {

       config = new Configuration(config);

       config.set("hadoop.http.filter.initializers", StramWSFilterInitializer.class.getCanonicalName());

     } else {

       if (!"simple".equals(config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP))) {

         LOG.warn("Found http authentication {} but authentication was disabled in Apex.",

             config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP));

         config = new Configuration(config);

         // turn off authentication for Apex as specified by user

         config.set(SecurityUtils.HADOOP_HTTP_AUTH_PROP, "simple");

       }

    }


It will also help tremendously when warning from jetty are not swallowed due to

    org.mortbay.log.Log.setLog(null);

Otherwise there is just a "handler failed" message and the user has no way to know what went wrong without hacking the Apex code?

Thanks,
Thomas



Reply | Threaded
Open this post in threaded view
|

Re: Apex HTTP Authentication

Thomas Weise-2
I will open a PR.


On Wed, Jul 12, 2017 at 10:07 PM, Pramod Immaneni <[hidden email]> wrote:
Looks like the disable behavior is a bug, could you file a JIRA?

Thanks

On Wed, Jul 12, 2017 at 9:36 PM, Thomas Weise <[hidden email]> wrote:
I'm working on a secure cluster that has authentication enabled for the YARN services.

In my Apex setup, I have:

 <property>

   <name>apex.attr.STRAM_HTTP_AUTHENTICATION</name>

   <value>DISABLE</value>

 </property>


"DISABLE - Disable authentication for web services."

That's not what happens though, it rather follows the Hadoop setting and fails because in this case Kerberos is enabled and the keytab not configured. 

I think that if a DISABLE option is advertised, then it should turn off the authentication that gets inherited from the node manager environment.

    Configuration config = getConfig();

    if (SecurityUtils.isStramWebSecurityEnabled()) {

       config = new Configuration(config);

       config.set("hadoop.http.filter.initializers", StramWSFilterInitializer.class.getCanonicalName());

     } else {

       if (!"simple".equals(config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP))) {

         LOG.warn("Found http authentication {} but authentication was disabled in Apex.",

             config.get(SecurityUtils.HADOOP_HTTP_AUTH_PROP));

         config = new Configuration(config);

         // turn off authentication for Apex as specified by user

         config.set(SecurityUtils.HADOOP_HTTP_AUTH_PROP, "simple");

       }

    }


It will also help tremendously when warning from jetty are not swallowed due to

    org.mortbay.log.Log.setLog(null);

Otherwise there is just a "handler failed" message and the user has no way to know what went wrong without hacking the Apex code?

Thanks,
Thomas