{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Ridiculous、 的问题《Hadoop Web Authentication using Kerberos》','https://www.manongdao.com/q-312644.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I configured hadoop using kerberos, everything works fine, I can browse hdfs, submit jobs, etc. But failed http web authentication.
I use hadoop-0.20.2 in cdh3u2, which supports HTTP SPNEGO.
HTTP authentication related configurations in core-site.xml are as follows:
<!-- HTTP web-consoles Authentication -->
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>
<property>
<name>hadoop.http.authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.http.authentication.token.validity</name>
<value>36000</value>
</property>
<property>
<name>hadoop.http.authentication.signature.secret.file</name>
<value>/home/hadoop/hadoop/conf/http-secret-file</value>
</property>
<property>
<name>hadoop.http.authentication.cookie.domain</name>
<value></value>
</property>
<property>
<name>hadoop.http.authentication.simple.anonymous.allowed</name>
<value>false</value>
</property>
<property>
<name>hadoop.http.authentication.kerberos.principal</name>
<value>HTTP/hz169-91.i.site.com@I.NETEASE.COM</value>
</property>
<property>
<name>hadoop.http.authentication.kerberos.keytab</name>
<value>/home/hadoop/hadoop/conf/http.keytab</value>
</property>
</configuration>
During startup, http authentication succeeded.
2011-11-15 15:43:59,106 INFO org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: Initialized, principal [HTTP/hz169-91.i.site.com@I.NETEASE.COM] from keytab [/home/hadoop/hadoop/conf/http.keytab]
After look into the code, I found out that AuthenticationFilter gets null token during doFilter, so, authentication begins (code below), but authorization in httpservletrequest is null, so, every time I reload my page, one log appears.
2011-11-15 15:47:52,190 WARN org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: SPNEGO starting
// org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response)
throws IOException, AuthenticationException {
AuthenticationToken token = null;
String authorization = request.getHeader(KerberosAuthenticator.AUTHORIZATION);
if (authorization == null || !authorization.startsWith(KerberosAuthenticator.NEGOTIATE)) {
response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
if (authorization == null) {
LOG.warn("SPNEGO starting");
} else {
LOG.warn("'" + KerberosAuthenticator.AUTHORIZATION + "' does not start with '" +
KerberosAuthenticator.NEGOTIATE + "' : {}", authorization);
}
Is there any configuration errors, or just my browser doesn't support SPNEGO. I use Chrome v16 in Ubuntu 11.04.
Does anybody have clues to help me figure it out?
Thanks.
First: Thankyou for posting a complete and working example on how to configure Hadoop web consoles for SPNNEGO - I had trouble finding a good example.
Your example works for me after modifying paths to config files (I created hadoop.http.authentication.signature.secret.file by getting some random bytes from /dev/random, which I'm assuming is the right thing to do, although I can't find any documentation supporting that theory).
Google Chrome does support SPNNEGO from version 6.0.472 and forward. However, it seems that on Linux and OSX you have to pass it a list of servers for which it's OK to enable it as documented here. So, try adding *--auth-server-whitelist="*example.com,*foobar.com,baz" to the cmdline when starting Chrome.
Another way of debugging this would be to use a simpler browser. I would recommend curl, if your curl has GSS-Negotiate support. Check by running curl --version
If GSS-Negotiate is in the Features list, you can use curl to try to access for example the namenode Web Console:
Just press enter when asked for host password.
This should give you a better idea on what's going on between the client and the server.