Hadoop Authentication Using Kerberos

Question

Hadoop Authentication Using Kerberos

I configured hadoop using kerberos, everything works fine, I can view hdfs, send jobs, etc. But failed to authenticate online.

I am using hasoop-0.20.2 in cdh3u2 which supports HTTP SPNEGO.

The configurations associated with HTTP authentication in the core-site.xml file are as follows:

<!-- HTTP web-consoles Authentication --> <property> <name>hadoop.http.filter.initializers</name> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value> </property> <property> <name>hadoop.http.authentication.type</name> <value>kerberos</value> </property> <property> <name>hadoop.http.authentication.token.validity</name> <value>36000</value> </property> <property> <name>hadoop.http.authentication.signature.secret.file</name> <value>/home/hadoop/hadoop/conf/http-secret-file</value> </property> <property> <name>hadoop.http.authentication.cookie.domain</name> <value></value> </property> <property> <name>hadoop.http.authentication.simple.anonymous.allowed</name> <value>false</value> </property> <property> <name>hadoop.http.authentication.kerberos.principal</name> <value>HTTP/ hz169-91.i.site.com@I.NETEASE.COM </value> </property> <property> <name>hadoop.http.authentication.kerberos.keytab</name> <value>/home/hadoop/hadoop/conf/http.keytab</value> </property> </configuration>

During startup, http authentication was successful.

 2011-11-15 15:43:59,106 INFO org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: Initialized, principal [HTTP/ hz169-91.i.site.com@I.NETEASE.COM ] from keytab [/home/hadoop/hadoop/conf/http.keytab]

After studying the code, I found that AuthenticationFilter receives a zero token during doFilter, so authentication starts (the code below), but authorization in httpservletrequest is null, so every time I reload my page, a single log appears.

 2011-11-15 15:47:52,190 WARN org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler: SPNEGO starting

 // org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token = null; String authorization = request.getHeader(KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization.startsWith(KerberosAuthenticator.NEGOTIATE)) { response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); if (authorization == null) { LOG.warn("SPNEGO starting"); } else { LOG.warn("'" + KerberosAuthenticator.AUTHORIZATION + "' does not start with '" + KerberosAuthenticator.NEGOTIATE + "' : {}", authorization); }

Are there any errors in the configuration, or only my browser does not support SPNEGO. I am using Chrome v16 in Ubuntu 11.04.

Does anyone have any clues to help me figure it out?

Thanks.

+4

hadoop distributed distributed-computing cloudera

Chris zheng Nov 15 '11 at 8:11

source share

1 answer

Erik forsberg · Accepted Answer · 2011-11-15T19:56:14+0000

First: Thankyou for posting a complete and working example on how to configure Hadoop web consoles for SPNNEGO. I am having trouble finding a good example.

Your example works for me after changing the paths to the configuration files (I created hasoop.http.authentication.signature.secret.file, getting some random bytes from / dev / random, which I assume is the right thing, although I can't find documentation supporting this theory).

Google Chrome supports SPNNEGO from version 6.0.472 and forwarding . However, it looks like on Linux and OSX you need to give it a list of servers for which it is normal to enable as described here . Therefore, when starting Chrome, try adding * - auth-server-whitelist = "* example.com, * foobar.com, baz" to cmdline.

Another way to debug this is to use a simpler browser. I would recommend curl if your curl has GSS-Negotiate support. Verification by running curl -version

 $ curl --version curl 7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

If GSS-Negotiate is in the list of functions, you can use curl to try to access, for example, the namenode web console:

 $ curl -v -u foo --negotiate http://your.namenode.tld:50070

Just press enter when prompted for the host password.

This should help you better understand what is happening between the client and the server.

Hadoop Authentication Using Kerberos

More articles: