[jira] [Commented] (HADOOP-10670) Allow AuthenticationFilters to load secret from signature secret files

Wed, 25 Mar 2015 22:14:42 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14381379#comment-14381379
 ] 

Sangjin Lee commented on HADOOP-10670:
--------------------------------------

I stumbled upon this while running unit tests that start the mini YARN cluster. 
But I just verified the real issue by doing a build off of the trunk and 
starting a pseudo-distributed cluster. Basically RM fails to start in the 
non-secure mode with the following exception:

{noformat}
2015-03-25 22:02:42,526 WARN org.mortbay.log: failed RMAuthenticationFilter: 
javax.servlet.ServletException: java.lang.RuntimeException: Could not read 
signature secret file: /Users/sjlee/hadoop-http-auth-signature-secret
2015-03-25 22:02:42,526 WARN org.mortbay.log: Failed startup of context 
org.mortbay.jetty.webapp.WebAppContext@6de50b08{/,jar:file:/Users/sjlee/hadoop-3.0.0-SNAPSHOT/share/hadoop/yarn/hadoop-yarn-common-3.0.0-SNAPSHOT.jar!/webapps/cluster}
javax.servlet.ServletException: java.lang.RuntimeException: Could not read 
signature secret file: /Users/sjlee/hadoop-http-auth-signature-secret
        at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeSecretProvider(AuthenticationFilter.java:266)
        at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:225)
        at 
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.init(DelegationTokenAuthenticationFilter.java:161)
        at 
org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter.init(RMAuthenticationFilter.java:53)
        at org.mortbay.jetty.servlet.FilterHolder.doStart(FilterHolder.java:97)
        at 
org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at 
org.mortbay.jetty.servlet.ServletHandler.initialize(ServletHandler.java:713)
        at org.mortbay.jetty.servlet.Context.startContext(Context.java:140)
        at 
org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1282)
        at 
org.mortbay.jetty.handler.ContextHandler.doStart(ContextHandler.java:518)
        at 
org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:499)
        at 
org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at 
org.mortbay.jetty.handler.HandlerCollection.doStart(HandlerCollection.java:152)
        at 
org.mortbay.jetty.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:156)
        at 
org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at 
org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130)
        at org.mortbay.jetty.Server.doStart(Server.java:224)
        at 
org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at org.apache.hadoop.http.HttpServer2.start(HttpServer2.java:773)
        at org.apache.hadoop.yarn.webapp.WebApps$Builder.start(WebApps.java:274)
        at 
org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.startWepApp(ResourceManager.java:974)
        at 
org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(ResourceManager.java:1074)
        at 
org.apache.hadoop.service.AbstractService.start(AbstractService.java:193)
        at 
org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(ResourceManager.java:1208)
Caused by: java.lang.RuntimeException: Could not read signature secret file: 
/Users/sjlee/hadoop-http-auth-signature-secret
        at 
org.apache.hadoop.security.authentication.util.FileSignerSecretProvider.init(FileSignerSecretProvider.java:59)
        at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeSecretProvider(AuthenticationFilter.java:264)
        ... 23 more
...
2015-03-25 22:02:42,538 FATAL 
org.apache.hadoop.yarn.server.resourcemanager.ResourceManager: Error starting 
ResourceManager
org.apache.hadoop.yarn.webapp.WebAppException: Error starting http server
        at org.apache.hadoop.yarn.webapp.WebApps$Builder.start(WebApps.java:279)
        at 
org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.startWepApp(ResourceManager.java:974)
        at 
org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(ResourceManager.java:1074)
        at 
org.apache.hadoop.service.AbstractService.start(AbstractService.java:193)
        at 
org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(ResourceManager.java:1208)
Caused by: java.io.IOException: Problem in starting http server. Server 
handlers failed
        at org.apache.hadoop.http.HttpServer2.start(HttpServer2.java:785)
        at org.apache.hadoop.yarn.webapp.WebApps$Builder.start(WebApps.java:274)
        ... 4 more
{noformat}

I suspect the same failure on branch-2.

Note that core-default.xml has the property defined:

{noformat}
<property>
  <name>hadoop.http.authentication.signature.secret.file</name>
  <value>${user.home}/hadoop-http-auth-signature-secret</value>
  <description>
    The signature secret for signing the authentication tokens.
    The same secret should be used for JT/NN/DN/TT configurations.
  </description>
</property>
{noformat}


> Allow AuthenticationFilters to load secret from signature secret files
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-10670
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10670
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>            Priority: Minor
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-10670-v4.patch, HADOOP-10670-v5.patch, 
> HADOOP-10670-v6.patch, hadoop-10670-v2.patch, hadoop-10670-v3.patch, 
> hadoop-10670.patch
>
>
> In Hadoop web console, by using AuthenticationFilterInitializer, it's allowed 
> to configure AuthenticationFilter for the required signature secret by 
> specifying signature.secret.file property. This improvement would also allow 
> this when AuthenticationFilterInitializer isn't used in situations like 
> webhdfs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to