Hadoop-2.2.0 Chinese document--common-hadoop HTTP Web Console authentication

Introduction

This document describes how to configure the Hadoop HTTP Web console to require user authentication.

by default, The Hadoop HTTP Web Console (Jobtracker, NameNode, Tasktrackers, and Datanodes) does not require any authentication to allow access.

Similar to Hadoop RPC, the Hadoop HTTP Web console can be configured to use HTTP SPNEGO protocol authentication (supported by Firefox or IE).

Also, the Hadoop HTTP Web console supports Hadoop's pseudo/simple authentication equally. If this option is enabled, users must specify their user name in the first browser interaction using the User.Name query parameter. For example: http://localhost:50030/jobtracker.jsp?user.name=babu .

If a user authentication mechanism is required by the Hadoop HTTP Web console, you can also implement a plugin that supports dynamic authentication (go to Hadoop-auth for more details on writing Authenticatorhandler )

the next section describes how to configure a Hadoop HTTP Web console, to require user authentication.

Configuration

The following properties should be in Core-site.xml on all nodes in the cluster.

hadoop.http.filter.initializers: Add to this property to org.apache.hadoop.security.AuthenticationFilterInitializer initialize the class.

hadoop.http.authentication.type : Defines authentication for the Hadoop HTTP Web Console.

The supported values are:   simple  |  kerberos  |  #AUTHENTICATION_HANDLER_CLASSNAME # simple

hadoop.http.authentication.token.validity: Declares how long (in seconds) An authentication token is valid before it must be updated. The default value is 36000.

hadoop.http.authentication.signature.secret.file: The signature password file used to issue the authentication token. The same password should be used on all nodes in the cluster, Jobtracker, NameNode, DataNode, and Tasttracker. The default value is $user.home/hadoop-http-auth-signature-secret .

Important: This file should be readable only by UNIX users who run these daemons.

hadoop.http.authentication.cookie.domain: The domain used to store the authentication token HTTP cookie. For authentication to work correctly on all nodes in the cluster, the domain must be set up correctly. There are no default values, and HTTP cookies do not work with HTTP cookies issued by only one domain host.

Important: When using an IP address, the browser ignores the cookie set. Because this setting works correctly, all nodes in the cluster must be configured to generate URLs with Hostname.domain.

< Span style= "font-size:18px" >hadoop.http.authentication.simple.anonymous.allowed : Declares when using ' simple ' authentication, All anonymous access is allowed. The default value is true.

hadoop.http.authentication.kerberos.principal : When authenticating with ' Kerberos ', Declares the authentication rules used by the HTTP terminal. The short name of the rule must be http  per Kerberos HTTP SPNEGO-type declaration. The default value is  http/[email protected] $LOCALHOST ,  If the current binding address of the HTTP server is replaced with _host.

hadoop.http.authentication.kerberos.keytab: The location of the keytab file that contains authentication rule credentials for the HTTP terminal. The default value is $user.home/hadoop.keytab . I.