HDDS-3282. ozone.http.filter.initializers can't be set properly for S… #724
Conversation
|
@xiaoyuyao Is it possible to add a negative test case for this in acceptance tests? |
|
Thanks the patch @xiaoyuyao Not clear what is the exact problem with forking? I would like to remove the dependency on Hadoop classes (to be compatible with multiple hadoop version). And interested what was the problem with the forks... |
|
bq. And interested what was the problem with the forks... |
There was a problem hiding this comment.
Thanks to explain it @xiaoyuyao
Fair enough. Let's merge it now and fork it later properly.
I am working to make Ozone more hadoop-free/independent. My base motivation to provide an easier ozonefs for Hadoop 2.7/2.8 without classpath separation. It requires to reduce the dependencies from Hadoop and that's the reason why (in some cases) prefer to fork and use an own version. (Especially related to the HTTP server where half of the Hadoop code/complexity is not required by Ozone).
But I am fine to revert this part of the previous fork to provide a quick fix and do it fully, later...
There was a problem hiding this comment.
Thanks @xiaoyuyao for working on this. It seems one of the acceptance test cases (S3 gateway web ui test) is validating the change and failing due to expecting old behavior:
Running command 'curl --negotiate -u : -v http://s3g:9878/static/index.html
'...
Error 401 Authentication required
...' does not contain 'Apache Hadoop Ozone S3'
|
@xiaoyuyao Thanks for working on this! Can you please fix the acceptance test failure as @adoroszlai pointed out? |
|
Still need some additional changes to handle the deprecation of the inconsistent key names related to HTTP auth. |
|
These two tests are not very reliable they both passed in my local setup but failed on CI. |
| import org.apache.hadoop.http.FilterContainer; | ||
| import org.apache.hadoop.http.FilterInitializer; | ||
| import org.apache.hadoop.http.lib.StaticUserWebFilter; |
There was a problem hiding this comment.
Are these classes copied from Hadoop being removed and dependency on Hadoop being re-introduced intentionally? CC @elek
There was a problem hiding this comment.
@adoroszlai Yes, these are brought back to get SPNEGO work with our fork of Httpserver2. SPNEGO is implemented by KerberosAuthenticationHandler/KerberosAuthenticator in hadoop-common.
On server side, KerberosAuthenticationHandler is initialized by AuthenticationFilterInitializer that implements org.apache.hadoop.http.FilterInitializer. Unless, we decide to fork more code from hadoop-common, I think we should stick with the FilterContainer/FilterInitilaizer/StaticUserWebFilter from hadoop-common given the fact that there are barely major change in SPNEGO from hadoop 2 to hadoop 3.
|
Still +1 As I wrote earlier, I am fine to remove the (half-made) fork temporary to have a working state and do proper (working) fork later.
I assume it also can be done in a follow-up jira if required. I will merge this issue if no more objections. |
|
TestBlockOutputStreamWithFailures seems to take long time to finish (10m) with pending flaky issues as query below. Should we consider disable it? |
Green build, no objections --> I am merging it. |
|
Thanks all for the reviews and discussions. I've merged it to master. |
Sorry, I merged it locally as I promised but forget to push it. Thanks to finish it. |
What changes were proposed in this pull request?
Change to use the Initializer class from hadoop-common while keeping the ozone initializer configuration key as-is.
More specifically, to enable SPNEGO auth for ozone web console, you need to properly set the auth filter initializer like below.
ozone.http.filter.initializers = org.apache.hadoop.security.AuthenticationFilterInitializer
Standardize the SPNEGO related configurations to follow the SPNEGO filter prefix rules as follows:
ozone.[component].http.auth.type = [simple, kerberos]
ozone.[component].http.auth.kerberos.principal
ozone.[component].http.auth.kerberos.keytab
component should be [om,scm,datanode,s3g,recon]
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-3282
How the fix is tested:
Test with ozonesecure docker-compose locally and verified that the change ensure unauthenticated user will get 401 error like below.