branch-0.23.1/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml - hadoop - Git at Google

 <?xml version="1.0"?>
 <!--
   Copyright 2002-2004 The Apache Software Foundation

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 -->

 <!DOCTYPE document PUBLIC "-//APACHE//DTD Documentation V2.0//EN"
           "http://forrest.apache.org/dtd/document-v20.dtd">


 <document>

   <header>
     <title>
       Authentication for Hadoop HTTP web-consoles
     </title>
   </header>

   <body>
     <section>
       <title> Introduction </title>
       <p>
         This document describes how to configure Hadoop HTTP web-consoles to require user
         authentication.
       </p>
       <p>
         By default Hadoop HTTP web-consoles (JobTracker, NameNode, TaskTrackers and DataNodes) allow
         access without any form of authentication.
       </p>
       <p>
         Similarly to Hadoop RPC, Hadoop HTTP web-consoles can be configured to require Kerberos
         authentication using HTTP SPNEGO protocol (supported by browsers like Firefox and Internet
         Explorer).
       </p>
       <p>
         In addition, Hadoop HTTP web-consoles support the equivalent of Hadoop's Pseudo/Simple
         authentication. If this option is enabled, user must specify their user name in the first
         browser interaction using the <code>user.name</code> query string parameter. For example:
         <code>http://localhost:50030/jobtracker.jsp?user.name=babu</code>.
       </p>
       <p>
         If a custom authentication mechanism is required for the HTTP web-consoles, it is possible
         to implement a plugin to support the alternate authentication mechanism (refer to
         Hadoop hadoop-auth for details on writing an <code>AuthenticatorHandler</code>).
       </p>
       <p>
         The next section describes how to configure Hadoop HTTP web-consoles to require user
         authentication.
       </p>
     </section>

     <section>
       <title> Configuration </title>

       <p>
         The following properties should be in the <code>core-site.xml</code> of all the nodes
         in the cluster.
       </p>

       <p><code>hadoop.http.filter.initializers</code>: add to this property the
       <code>org.apache.hadoop.security.AuthenticationFilterInitializer</code> initializer class.
       </p>

       <p><code>hadoop.http.authentication.type</code>: Defines authentication used for the HTTP
       web-consoles. The supported values are: <code>simple | kerberos |
       #AUTHENTICATION_HANDLER_CLASSNAME#</code>. The dfeault value is <code>simple</code>.
       </p>

       <p><code>hadoop.http.authentication.token.validity</code>: Indicates how long (in seconds)
       an authentication token is valid before it has to be renewed. The default value is
       <code>36000</code>.
       </p>

       <p><code>hadoop.http.authentication.signature.secret</code>: The signature secret for
       signing the authentication tokens. If not set a random secret is generated at
       startup time. The same secret should be used for all nodes in the cluster, JobTracker,
       NameNode, DataNode and TastTracker. The default value is a <code>hadoop</code> value.
       </p>

       <p><code>hadoop.http.authentication.cookie.domain</code>: The domain to use for the HTTP
       cookie that stores the authentication token. In order to authentiation to work
       correctly across all nodes in the cluster the domain must be correctly set.
       There is no default value, the HTTP cookie will not have a domain working only
       with the hostname issuing the HTTP cookie.
       </p>

       <p>
       IMPORTANT: when using IP addresses, browsers ignore cookies with domain settings.
       For this setting to work properly all nodes in the cluster must be configured
       to generate URLs with hostname.domain names on it.
       </p>

       <p><code>hadoop.http.authentication.simple.anonymous.allowed</code>: Indicates if anonymous
       requests are allowed when using 'simple' authentication. The default value is
       <code>true</code>
       </p>

       <p><code>hadoop.http.authentication.kerberos.principal</code>: Indicates the Kerberos
       principal to be used for HTTP endpoint when using 'kerberos' authentication.
       The principal short name must be <code>HTTP</code> per Kerberos HTTP SPENGO specification.
       The default value is <code>HTTP/localhost@$LOCALHOST</code>.
       </p>

       <p><code>hadoop.http.authentication.kerberos.keytab</code>: Location of the keytab file
       with the credentials for the Kerberos principal used for the HTTP endpoint.
       The default value is <code>${user.home}/hadoop.keytab</code>.i
       </p>

     </section>

   </body>
 </document>
	<?xml version="1.0"?>
	<!--
	Copyright 2002-2004 The Apache Software Foundation

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<!DOCTYPE document PUBLIC "-//APACHE//DTD Documentation V2.0//EN"
	"http://forrest.apache.org/dtd/document-v20.dtd">


	<document>

	<header>
	<title>
	Authentication for Hadoop HTTP web-consoles
	</title>
	</header>

	<body>
	<section>
	<title> Introduction </title>
	<p>
	This document describes how to configure Hadoop HTTP web-consoles to require user
	authentication.
	</p>
	<p>
	By default Hadoop HTTP web-consoles (JobTracker, NameNode, TaskTrackers and DataNodes) allow
	access without any form of authentication.
	</p>
	<p>
	Similarly to Hadoop RPC, Hadoop HTTP web-consoles can be configured to require Kerberos
	authentication using HTTP SPNEGO protocol (supported by browsers like Firefox and Internet
	Explorer).
	</p>
	<p>
	In addition, Hadoop HTTP web-consoles support the equivalent of Hadoop's Pseudo/Simple
	authentication. If this option is enabled, user must specify their user name in the first
	browser interaction using the <code>user.name</code> query string parameter. For example:
	<code>http://localhost:50030/jobtracker.jsp?user.name=babu</code>.
	</p>
	<p>
	If a custom authentication mechanism is required for the HTTP web-consoles, it is possible
	to implement a plugin to support the alternate authentication mechanism (refer to
	Hadoop hadoop-auth for details on writing an <code>AuthenticatorHandler</code>).
	</p>
	<p>
	The next section describes how to configure Hadoop HTTP web-consoles to require user
	authentication.
	</p>
	</section>

	<section>
	<title> Configuration </title>

	<p>
	The following properties should be in the <code>core-site.xml</code> of all the nodes
	in the cluster.
	</p>

	<p><code>hadoop.http.filter.initializers</code>: add to this property the
	<code>org.apache.hadoop.security.AuthenticationFilterInitializer</code> initializer class.
	</p>

	<p><code>hadoop.http.authentication.type</code>: Defines authentication used for the HTTP
	web-consoles. The supported values are: <code>simple \| kerberos \|
	#AUTHENTICATION_HANDLER_CLASSNAME#</code>. The dfeault value is <code>simple</code>.
	</p>

	<p><code>hadoop.http.authentication.token.validity</code>: Indicates how long (in seconds)
	an authentication token is valid before it has to be renewed. The default value is
	<code>36000</code>.
	</p>

	<p><code>hadoop.http.authentication.signature.secret</code>: The signature secret for
	signing the authentication tokens. If not set a random secret is generated at
	startup time. The same secret should be used for all nodes in the cluster, JobTracker,
	NameNode, DataNode and TastTracker. The default value is a <code>hadoop</code> value.
	</p>

	<p><code>hadoop.http.authentication.cookie.domain</code>: The domain to use for the HTTP
	cookie that stores the authentication token. In order to authentiation to work
	correctly across all nodes in the cluster the domain must be correctly set.
	There is no default value, the HTTP cookie will not have a domain working only
	with the hostname issuing the HTTP cookie.
	</p>

	<p>
	IMPORTANT: when using IP addresses, browsers ignore cookies with domain settings.
	For this setting to work properly all nodes in the cluster must be configured
	to generate URLs with hostname.domain names on it.
	</p>

	<p><code>hadoop.http.authentication.simple.anonymous.allowed</code>: Indicates if anonymous
	requests are allowed when using 'simple' authentication. The default value is
	<code>true</code>
	</p>

	<p><code>hadoop.http.authentication.kerberos.principal</code>: Indicates the Kerberos
	principal to be used for HTTP endpoint when using 'kerberos' authentication.
	The principal short name must be <code>HTTP</code> per Kerberos HTTP SPENGO specification.
	The default value is <code>HTTP/localhost@$LOCALHOST</code>.
	</p>

	<p><code>hadoop.http.authentication.kerberos.keytab</code>: Location of the keytab file
	with the credentials for the Kerberos principal used for the HTTP endpoint.
	The default value is <code>${user.home}/hadoop.keytab</code>.i
	</p>

	</section>

	</body>
	</document>