HDDS-1901. Fix Ozone HTTP WebConsole Authentication. Contributed by Xiaoyu Yao. (#1228)

(cherry picked from commit a63023f2610438b9a142db3feb14236fe188b42d)

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java

@@ -357,7 +357,7 @@ public final class ScmConfigKeys {
       "hdds.scm.http.kerberos.principal";
   public static final String
       HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY =
-      "hdds.scm.http.kerberos.keytab.file";
+      "hdds.scm.http.kerberos.keytab";
 
   // Network topology
   public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE =

hadoop-hdds/common/src/main/resources/ozone-default.xml

@@ -1810,7 +1810,7 @@
     <value>HTTP/_HOST@EXAMPLE.COM</value>
   </property>
   <property>
-    <name>hdds.scm.http.kerberos.keytab.file</name>
+    <name>hdds.scm.http.kerberos.keytab</name>
     <value>/etc/security/keytabs/HTTP.keytab</value>
   </property>
 
@@ -1822,7 +1822,7 @@
     </description>
   </property>
   <property>
-    <name>ozone.om.http.kerberos.keytab.file</name>
+    <name>ozone.om.http.kerberos.keytab</name>
     <value>/etc/security/keytabs/HTTP.keytab</value>
     <description>
       OzoneManager http server kerberos keytab.

hadoop-hdds/docs/content/security/SecureOzone.md

@@ -102,7 +102,7 @@ All these settings should be made in ozone-site.xml.
               <td>SCM http server service principal.</td>
             </tr>
             <tr>
-              <th scope="row">hdds.scm.http.kerberos.keytab.file</th>
+              <th scope="row">hdds.scm.http.kerberos.keytab</th>
               <td>The keytab file used by SCM http server to login as its service principal.</td>
             </tr>
           </tbody>
@@ -126,7 +126,7 @@ All these settings should be made in ozone-site.xml.
                 </thead>
                 <tbody>
                   <tr>
-                    <th scope="row">ozone.om.kerberos.principal </th>
+                    <th scope="row">ozone.om.kerberos.principal</th>
                     <td>The OzoneManager service principal. e.g. om/_HOST@REALM
                     .COM</td>
                   </tr>
@@ -139,7 +139,7 @@ All these settings should be made in ozone-site.xml.
                     <td>Ozone Manager http server service principal.</td>
                   </tr>
                   <tr>
-                    <th scope="row">  ozone.om.http.kerberos.keytab.file</th>
+                    <th scope="row">ozone.om.http.kerberos.keytab</th>
                     <td>The keytab file used by OM http server to login as its service principal.</td>
                   </tr>
                 </tbody>

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMConfigKeys.java

@@ -213,7 +213,7 @@ public final class OMConfigKeys {
   public static final String OZONE_OM_KERBEROS_PRINCIPAL_KEY = "ozone.om"
       + ".kerberos.principal";
   public static final String OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE =
-      "ozone.om.http.kerberos.keytab.file";
+      "ozone.om.http.kerberos.keytab";
   public static final String OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY
       = "ozone.om.http.kerberos.principal";
   // Delegation token related keys

hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config

@@ -35,9 +35,9 @@ OZONE_SITE.XML_ozone.administrators=*
 
 OZONE-SITE.XML_ozone.security.enabled=true
 OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
-OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
 OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
-OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
 HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
 HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
 HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM

hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config

@@ -39,9 +39,9 @@ OZONE-SITE.XML_ozone.acl.enabled=true
 OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer
 OZONE-SITE.XML_ozone.administrators=*
 OZONE-SITE.XML_hdds.scm.http.kerberos.principal=HTTP/scm@EXAMPLE.COM
-OZONE-SITE.XML_hdds.scm.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_hdds.scm.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
 OZONE-SITE.XML_ozone.om.http.kerberos.principal=HTTP/om@EXAMPLE.COM
-OZONE-SITE.XML_ozone.om.http.kerberos.keytab.file=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.om.http.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
 HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
 HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
 HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
@@ -54,6 +54,21 @@ CORE-SITE.XML_hadoop.security.authentication=kerberos
 CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1@$0](.*)s/.*/root/
 CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms
 
+CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
+CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
+CORE-SITE.XML_hadoop.http.authentication.type=kerberos
+CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+CORE-SITE.XML_hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer
+
+LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
+.AuthenticationFilter=DEBUG
+LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.security.authentication.server
+.KerberosAuthenticationHandler=TRACE
+LOG4J.PROPERTIES_log4j.logger.org.apache.hadoop.http.HttpServer2=TRACE
+
+
+
 CORE-SITE.XML_hadoop.security.authorization=true
 HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=*
 HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=*