本文档介绍如何配置Hadoop HTTP网页控制台以要求用户身份验证。
默认情况下,Hadoop HTTP网页控制台(ResourceManager、NameNode、NodeManagers和DataNodes)允许在没有任何形式的身份验证的情况下访问。
Hadoop HTTP 网页控制台可以配置为要求使用 HTTP SPNEGO 协议(由 Firefox 和 Internet Explorer 等浏览器支持)进行 Kerberos 身份验证。
此外,Hadoop HTTP网页控制台支持与Hadoop伪/简单认证等效的功能。如果启用此选项,则必须在首次浏览器交互时通过user.name查询字符串参数指定用户名。例如http://localhost:8088/cluster?user.name=babu。
如果HTTP网页控制台需要自定义认证机制,可以实现一个插件来支持替代认证机制(有关编写AuthenticationHandler的详细信息,请参考Hadoop hadoop-auth)。
下一节将介绍如何配置Hadoop HTTP网页控制台以要求用户身份验证。
以下属性应配置在集群所有节点的core-site.xml文件中。
| 属性名称 | 默认值 | 描述 |
|---|---|---|
hadoop.http.filter.initializers |
Add to this property the org.apache.hadoop.security.AuthenticationFilterInitializer initializer class. | |
hadoop.http.authentication.type |
simple |
Defines authentication used for the HTTP web-consoles. The supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#. |
hadoop.http.authentication.token.validity |
36000 |
Indicates how long (in seconds) an authentication token is valid before it has to be renewed. |
hadoop.http.authentication.token.max-inactive-interval |
-1 (disabled) |
Specifies the time, in seconds, between client requests the server will invalidate the token. |
hadoop.http.authentication.signature.secret.file |
$user.home/hadoop-http-auth-signature-secret |
The signature secret file for signing the authentication tokens. A different secret should be used for each service in the cluster, ResourceManager, NameNode, DataNode and NodeManager. This file should be readable only by the Unix user running the daemons. |
hadoop.http.authentication.cookie.domain |
The domain to use for the HTTP cookie that stores the authentication token. For authentication to work correctly across all nodes in the cluster the domain must be correctly set. There is no default value, the HTTP cookie will not have a domain working only with the hostname issuing the HTTP cookie. | |
hadoop.http.authentication.cookie.persistent |
false (session cookie) |
Specifies the persistence of the HTTP cookie. If the value is true, the cookie is a persistent one. Otherwise, it is a session cookie. IMPORTANT: when using IP addresses, browsers ignore cookies with domain settings. For this setting to work properly all nodes in the cluster must be configured to generate URLs with hostname.domain names on it. |
hadoop.http.authentication.simple.anonymous.allowed |
true |
Indicates whether anonymous requests are allowed when using ‘simple’ authentication. |
hadoop.http.authentication.kerberos.principal |
HTTP/_HOST@$LOCALHOST |
Indicates the Kerberos principal to be used for HTTP endpoint when using ‘kerberos’ authentication. The principal short name must be HTTP per Kerberos HTTP SPNEGO specification. _HOST -if present- is replaced with bind address of the HTTP server. |
hadoop.http.authentication.kerberos.keytab |
$user.home/hadoop.keytab |
Location of the keytab file with the credentials for the Kerberos principal used for the HTTP endpoint. |
要启用跨域支持(CORS),请设置以下配置参数:
在core-site.xml中将org.apache.hadoop.security.HttpCrossOriginFilterInitializer添加到hadoop.http.filter.initializers。您还需要在core-site.xml中设置以下属性 -
| 属性 | 默认值 | 描述 |
|---|---|---|
| hadoop.http.cross-origin.enabled | false |
Enables cross origin support for all web-services |
| hadoop.http.cross-origin.allowed-origins | * |
Comma separated list of origins that are allowed. Values prefixed with regex: are interpreted as regular expressions. Values containing wildcards (*) are possible as well, here a regular expression is generated, the use is discouraged and support is only available for backward compatibility. |
| hadoop.http.cross-origin.allowed-methods | GET,POST,HEAD |
Comma separated list of methods that are allowed |
| hadoop.http.cross-origin.allowed-headers | X-Requested-With,Content-Type,Accept,Origin |
Comma separated list of headers that are allowed |
| hadoop.http.cross-origin.max-age | 1800 |
Number of seconds a pre-flighted request can be cached |
Trusted Proxy(可信代理)新增了支持使用终端用户而非代理用户执行操作的功能。它会从doAs查询参数中获取终端用户。要启用Trusted Proxy,请设置以下配置参数:
在core-site.xml中将org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer添加到hadoop.http.filter.initializers,而不是org.apache.hadoop.security.AuthenticationFilterInitializer。