Home Verkennen Help
Inloggen
liuzhangxing
/
hadoop
geforked van apache/hadoop
1
0
Vork 0
Bestanden
Boom: f4a723249e
Aftakkingen Labels
hadoop
/
hadoop-common-project
/
hadoop-auth
/
src
/
site
/
apt
/
Configuration.apt.vm

Configuration.apt.vm 8.6 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248 
  1. ~~ Licensed under the Apache License, Version 2.0 (the "License");
    2. 

  2. ~~ you may not use this file except in compliance with the License.
    3. 

  3. ~~ You may obtain a copy of the License at
    4. 

  4. ~~
    5. 

  5. ~~   http://www.apache.org/licenses/LICENSE-2.0
    6. 

  6. ~~
    7. 

  7. ~~ Unless required by applicable law or agreed to in writing, software
    8. 

  8. ~~ distributed under the License is distributed on an "AS IS" BASIS,
    9. 

  9. ~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    10. 

  10. ~~ See the License for the specific language governing permissions and
    11. 

  11. ~~ limitations under the License. See accompanying LICENSE file.
    12. 

  12. 

  13.   ---
    14. 

  14.   Hadoop Auth, Java HTTP SPNEGO ${project.version} - Server Side
    15. 

  15.   Configuration
    16. 

  16.   ---
    17. 

  17.   ---
    18. 

  18.   ${maven.build.timestamp}
    19. 

  19. 

  20. Hadoop Auth, Java HTTP SPNEGO ${project.version} - Server Side
    21. 

  21. Configuration
    22. 

  22. 

  23.   \[ {{{./index.html}Go Back}} \]
    24. 

  24. 

  25. * Server Side Configuration Setup
    26. 

  26. 

  27.   The {{{./apidocs/org/apache/hadoop/auth/server/AuthenticationFilter.html}
    28. 

  28.   AuthenticationFilter filter}} is Hadoop Auth's server side component.
    29. 

  29. 

  30.   This filter must be configured in front of all the web application resources
    31. 

  31.   that required authenticated requests. For example:
    32. 

  32. 

  33.   The Hadoop Auth and dependent JAR files must be in the web application
    34. 

  34.   classpath (commonly the <<<WEB-INF/lib>>> directory).
    35. 

  35. 

  36.   Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define
    37. 

  37.   the SLF4J API dependency but it does not define the dependency on a concrete
    38. 

  38.   logging implementation, this must be addded explicitly to the web
    39. 

  39.   application. For example, if the web applicationan uses Log4j, the
    40. 

  40.   SLF4J-LOG4J12 and LOG4J jar files must be part part of the web application
    41. 

  41.   classpath as well as the Log4j configuration file.
    42. 

  42. 

  43. ** Common Configuration parameters
    44. 

  44. 

  45.   * <<<config.prefix>>>: If specified, all other configuration parameter names
    46. 

  46.     must start with the prefix. The default value is no prefix.
    47. 

  47. 

  48.   * <<<[PREFIX.]type>>>: the authentication type keyword (<<<simple>>> or
    49. 

  49.     <<<kerberos>>>) or a
    50. 

  50.     {{{./apidocs/org/apache/hadoop/auth/server/AuthenticationHandler.html}
    51. 

  51.     Authentication handler implementation}}.
    52. 

  52. 

  53.   * <<<[PREFIX.]signature.secret>>>: The secret to SHA-sign the generated
    54. 

  54.     authentication tokens. If a secret is not provided a random secret is
    55. 

  55.     generated at start up time. If using multiple web application instances
    56. 

  56.     behind a load-balancer a secret must be set for the application to work
    57. 

  57.     properly.
    58. 

  58. 

  59.   * <<<[PREFIX.]token.validity>>>: The validity -in seconds- of the generated
    60. 

  60.     authentication token. The default value is <<<3600>>> seconds.
    61. 

  61. 

  62.   * <<<[PREFIX.]cookie.domain>>>: domain to use for the HTTP cookie that stores
    63. 

  63.     the authentication token.
    64. 

  64. 

  65.   * <<<[PREFIX.]cookie.path>>>: path to use for the HTTP cookie that stores the
    66. 

  66.     authentication token.
    67. 

  67. 

  68. ** Kerberos Configuration
    69. 

  69. 

  70.   <<IMPORTANT>>: A KDC must be configured and running.
    71. 

  71. 

  72.   To use Kerberos SPNEGO as the authentication mechanism, the authentication
    73. 

  73.   filter must be configured with the following init parameters:
    74. 

  74. 

  75.     * <<<[PREFIX.]type>>>: the keyword <<<kerberos>>>.
    76. 

  76. 

  77.     * <<<[PREFIX.]kerberos.principal>>>: The web-application Kerberos principal
    78. 

  78.       name. The Kerberos principal name must start with <<<HTTP/...>>>. For
    79. 

  79.       example: <<<HTTP/localhost@LOCALHOST>>>.  There is no default value.
    80. 

  80. 

  81.     * <<<[PREFIX.]kerberos.keytab>>>: The path to the keytab file containing
    82. 

  82.       the credentials for the kerberos principal. For example:
    83. 

  83.       <<</Users/tucu/tucu.keytab>>>. There is no default value.
    84. 

  84. 

  85.   <<Example>>:
    86. 

  86. 

  87. +---+
    88. 

  88. <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
    89. 

  89.     ...
    90. 

  90. 

  91.     <filter>
    92. 

  92.         <filter-name>kerberosFilter</filter-name>
    93. 

  93.         <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
    94. 

  94.         <init-param>
    95. 

  95.             <param-name>type</param-name>
    96. 

  96.             <param-value>kerberos</param-value>
    97. 

  97.         </init-param>
    98. 

  98.         <init-param>
    99. 

  99.             <param-name>token.validity</param-name>
    100. 

  100.             <param-value>30</param-value>
    101. 

  101.         </init-param>
    102. 

  102.         <init-param>
    103. 

  103.             <param-name>cookie.domain</param-name>
    104. 

  104.             <param-value>.foo.com</param-value>
    105. 

  105.         </init-param>
    106. 

  106.         <init-param>
    107. 

  107.             <param-name>cookie.path</param-name>
    108. 

  108.             <param-value>/</param-value>
    109. 

  109.         </init-param>
    110. 

  110.         <init-param>
    111. 

  111.             <param-name>kerberos.principal</param-name>
    112. 

  112.             <param-value>HTTP/localhost@LOCALHOST</param-value>
    113. 

  113.         </init-param>
    114. 

  114.         <init-param>
    115. 

  115.             <param-name>kerberos.keytab</param-name>
    116. 

  116.             <param-value>/tmp/auth.keytab</param-value>
    117. 

  117.         </init-param>
    118. 

  118.     </filter>
    119. 

  119. 

  120.     <filter-mapping>
    121. 

  121.         <filter-name>kerberosFilter</filter-name>
    122. 

  122.         <url-pattern>/kerberos/*</url-pattern>
    123. 

  123.     </filter-mapping>
    124. 

  124. 

  125.     ...
    126. 

  126. </web-app>
    127. 

  127. +---+
    128. 

  128. 

  129. ** Pseudo/Simple Configuration
    130. 

  130. 

  131.   To use Pseudo/Simple as the authentication mechanism (trusting the value of
    132. 

  132.   the query string parameter 'user.name'), the authentication filter must be
    133. 

  133.   configured with the following init parameters:
    134. 

  134. 

  135.     * <<<[PREFIX.]type>>>: the keyword <<<simple>>>.
    136. 

  136. 

  137.     * <<<[PREFIX.]simple.anonymous.allowed>>>: is a boolean parameter that
    138. 

  138.       indicates if anonymous requests are allowed or not. The default value is
    139. 

  139.       <<<false>>>.
    140. 

  140. 

  141.   <<Example>>:
    142. 

  142. 

  143. +---+
    144. 

  144. <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
    145. 

  145.     ...
    146. 

  146. 

  147.     <filter>
    148. 

  148.         <filter-name>simpleFilter</filter-name>
    149. 

  149.         <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
    150. 

  150.         <init-param>
    151. 

  151.             <param-name>type</param-name>
    152. 

  152.             <param-value>simple</param-value>
    153. 

  153.         </init-param>
    154. 

  154.         <init-param>
    155. 

  155.             <param-name>token.validity</param-name>
    156. 

  156.             <param-value>30</param-value>
    157. 

  157.         </init-param>
    158. 

  158.         <init-param>
    159. 

  159.             <param-name>cookie.domain</param-name>
    160. 

  160.             <param-value>.foo.com</param-value>
    161. 

  161.         </init-param>
    162. 

  162.         <init-param>
    163. 

  163.             <param-name>cookie.path</param-name>
    164. 

  164.             <param-value>/</param-value>
    165. 

  165.         </init-param>
    166. 

  166.         <init-param>
    167. 

  167.             <param-name>simple.anonymous.allowed</param-name>
    168. 

  168.             <param-value>false</param-value>
    169. 

  169.         </init-param>
    170. 

  170.     </filter>
    171. 

  171. 

  172.     <filter-mapping>
    173. 

  173.         <filter-name>simpleFilter</filter-name>
    174. 

  174.         <url-pattern>/simple/*</url-pattern>
    175. 

  175.     </filter-mapping>
    176. 

  176. 

  177.     ...
    178. 

  178. </web-app>
    179. 

  179. +---+
    180. 

  180. 

  181. ** AltKerberos Configuration
    182. 

  182. 

  183.   <<IMPORTANT>>: A KDC must be configured and running.
    184. 

  184. 

  185.   The AltKerberos authentication mechanism is a partially implemented derivative
    186. 

  186.   of the Kerberos SPNEGO authentication mechanism which allows a "mixed" form of
    187. 

  187.   authentication where Kerberos SPNEGO is used by non-browsers while an
    188. 

  188.   alternate form of authentication (to be implemented by the user) is used for
    189. 

  189.   browsers.  To use AltKerberos as the authentication mechanism (besides
    190. 

  190.   providing an implementation), the authentication filter must be configured
    191. 

  191.   with the following init parameters, in addition to the previously mentioned
    192. 

  192.   Kerberos SPNEGO ones:
    193. 

  193. 

  194.     * <<<[PREFIX.]type>>>: the full class name of the implementation of
    195. 

  195.       AltKerberosAuthenticationHandler to use.
    196. 

  196. 

  197.     * <<<[PREFIX.]alt-kerberos.non-browser.user-agents>>>: a comma-separated
    198. 

  198.       list of which user-agents should be considered non-browsers.
    199. 

  199. 

  200.   <<Example>>:
    201. 

  201. 

  202. +---+
    203. 

  203. <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
    204. 

  204.     ...
    205. 

  205. 

  206.     <filter>
    207. 

  207.         <filter-name>kerberosFilter</filter-name>
    208. 

  208.         <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
    209. 

  209.         <init-param>
    210. 

  210.             <param-name>type</param-name>
    211. 

  211.             <param-value>org.my.subclass.of.AltKerberosAuthenticationHandler</param-value>
    212. 

  212.         </init-param>
    213. 

  213.         <init-param>
    214. 

  214.             <param-name>alt-kerberos.non-browser.user-agents</param-name>
    215. 

  215.             <param-value>java,curl,wget,perl</param-value>
    216. 

  216.         </init-param>
    217. 

  217.         <init-param>
    218. 

  218.             <param-name>token.validity</param-name>
    219. 

  219.             <param-value>30</param-value>
    220. 

  220.         </init-param>
    221. 

  221.         <init-param>
    222. 

  222.             <param-name>cookie.domain</param-name>
    223. 

  223.             <param-value>.foo.com</param-value>
    224. 

  224.         </init-param>
    225. 

  225.         <init-param>
    226. 

  226.             <param-name>cookie.path</param-name>
    227. 

  227.             <param-value>/</param-value>
    228. 

  228.         </init-param>
    229. 

  229.         <init-param>
    230. 

  230.             <param-name>kerberos.principal</param-name>
    231. 

  231.             <param-value>HTTP/localhost@LOCALHOST</param-value>
    232. 

  232.         </init-param>
    233. 

  233.         <init-param>
    234. 

  234.             <param-name>kerberos.keytab</param-name>
    235. 

  235.             <param-value>/tmp/auth.keytab</param-value>
    236. 

  236.         </init-param>
    237. 

  237.     </filter>
    238. 

  238. 

  239.     <filter-mapping>
    240. 

  240.         <filter-name>kerberosFilter</filter-name>
    241. 

  241.         <url-pattern>/kerberos/*</url-pattern>
    242. 

  242.     </filter-mapping>
    243. 

  243. 

  244.     ...
    245. 

  245. </web-app>
    246. 

  246. +---+
    247. 

  247. 

  248.   \[ {{{./index.html}Go Back}} \]
    249.