diff --git a/hadoop-hdds/docs/content/security/SecureOzone.md b/hadoop-hdds/docs/content/security/SecureOzone.md
index 7d3693e6d81..d49dfe9db7d 100644
--- a/hadoop-hdds/docs/content/security/SecureOzone.md
+++ b/hadoop-hdds/docs/content/security/SecureOzone.md
@@ -100,12 +100,12 @@ All these settings should be made in ozone-site.xml.
| The keytab file used by SCM daemon to login as its service principal. |
- | hdds.scm.http.kerberos.principal
- | SCM http server service principal. |
+ hdds.scm.http.auth.kerberos.principal
+ | SCM http server service principal if SPNEGO is enabled for SCM http server. |
- | hdds.scm.http.kerberos.keytab
- | The keytab file used by SCM http server to login as its service principal. |
+ hdds.scm.http.auth.kerberos.keytab
+ | The keytab file used by SCM http server to login as its service principal if SPNEGO is enabled for SCM http server |
@@ -136,12 +136,12 @@ All these settings should be made in ozone-site.xml.
TThe keytab file used by SCM daemon to login as its service principal. |
- | ozone.om.http.kerberos.principal
- | Ozone Manager http server service principal. |
+ ozone.om.http.auth.kerberos.principal
+ | Ozone Manager http server service principal if SPNEGO is enabled for om http server. |
- | ozone.om.http.kerberos.keytab
- | The keytab file used by OM http server to login as its service principal. |
+ ozone.om.http.auth.kerberos.keytab
+ | The keytab file used by OM http server to login as its service principal if SPNEGO is enabled for om http server. |
@@ -165,11 +165,11 @@ All these settings should be made in ozone-site.xml.
| ozone.s3g.http.auth.kerberos.principal
- | S3 Gateway principal.
e.g. HTTP/_HOST@EXAMPLE.COM |
+ S3 Gateway principal if SPNEGO is enabled for S3 Gateway http server.
e.g. HTTP/_HOST@EXAMPLE.COM |
| ozone.s3g.http.auth.kerberos.keytab
- | The keytab file used by S3 gateway |
+ The keytab file used by S3 gateway if SPNEGO is enabled for S3 Gateway http server. |
diff --git a/hadoop-hdds/docs/content/security/SecuringOzoneHTTP.md b/hadoop-hdds/docs/content/security/SecuringOzoneHTTP.md
new file mode 100644
index 00000000000..c10f71d21de
--- /dev/null
+++ b/hadoop-hdds/docs/content/security/SecuringOzoneHTTP.md
@@ -0,0 +1,141 @@
+---
+title: "Securing Ozone HTTP web-consoles"
+date: "2020-June-17"
+summary: Secure HTTP web-consoles for Ozone services
+weight: 3
+icon: lock
+---
+
+
+This document describes how to configure Ozone HTTP web-consoles to require user authentication.
+
+### Default authentication
+
+By default Ozone HTTP web-consoles (OM, SCM, S3G, Recon, Datanode)
+allow access without authentication based on the following default configurations.
+
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.security.http.kerberos.enabled | false
+ozone.http.filter.initializers |
+
+If you have an SPNEGO enabled Ozone cluster and want to disable it for all Ozone services,
+just make sure the two key mentioned are configured as above.
+
+### Kerberos based SPNEGO authentication
+However, they can be configured to require Kerberos authentication using HTTP SPNEGO protocol (supported
+by browsers like Firefox and Chrome). To achieve that, the following keys must
+be configured first.
+
+Property| Value
+-----------------------------------|-----------------------------------------
+hadoop.security.authentication | kerberos
+ozone.security.http.kerberos.enabled | true
+ozone.http.filter.initializers | org.apache.hadoop.security.AuthenticationFilterInitializer
+
+After that, individual component needs to configure properly to completely enable
+SPNEGO or SIMPLE authentication.
+
+### Enable SPNEGO authentication for OM HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.om.http.auth.type | kerberos
+ozone.om.http.auth.kerberos.principal | HTTP/_HOST@REALM
+ozone.om.http.auth.kerberos.keytab| /path/to/HTTP.keytab
+
+### Enable SPNEGO authentication for S3G HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.s3g.http.auth.type | kerberos
+ozone.s3g.http.auth.kerberos.principal | HTTP/_HOST@REALM
+ozone.s3g.http.auth.kerberos.keytab| /path/to/HTTP.keytab
+
+### Enable SPNEGO authentication for RECON HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.recon.http.auth.type | kerberos
+ozone.recon.http.auth.kerberos.principal | HTTP/_HOST@REALM
+ozone.recon.http.auth.kerberos.keytab| /path/to/HTTP.keytab
+
+### Enable SPNEGO authentication for SCM HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+hdds.scm.http.auth.type | kerberos
+hdds.scm.http.auth.kerberos.principal | HTTP/_HOST@REALM
+hdds.scm.http.auth.kerberos.keytab| /path/to/HTTP.keytab
+
+### Enable SPNEGO authentication for DATANODE HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+hdds.datanode.http.auth.type | kerberos
+hdds.datanode.http.auth.kerberos.principal | HTTP/_HOST@REALM
+hdds.datanode.http.auth.kerberos.keytab| /path/to/HTTP.keytab
+
+Note: Ozone datanode does not have a default webpage, which prevents you from
+accessing "/" or "/index.html". But it does provide standard
+servlet like jmx/conf/jstack via HTTP.
+
+In addition, Ozone HTTP web-console support the equivalent of Hadoop's Pseudo/Simple authentication.
+If this option is enabled, the user name must be specified in the first browser interaction using the user.name
+query string parameter. e.g., http://scm:9876/?user.name=scmadmin.
+
+### Enable SIMPLE authentication for OM HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.om.http.auth.type | simple
+ozone.om.http.auth.simple.anonymous_allowed | false
+
+If you don't want to specify the user.name in the query string parameter,
+change ozone.om.http.auth.simple.anonymous_allowed to true.
+
+### Enable SIMPLE authentication for S3G HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.s3g.http.auth.type | simple
+ozone.s3g.http.auth.simple.anonymous_allowed | false
+
+If you don't want to specify the user.name in the query string parameter,
+change ozone.s3g.http.auth.simple.anonymous_allowed to true.
+
+### Enable SIMPLE authentication for RECON HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.recon.http.auth.type | simple
+ozone.recon.http.auth.simple.anonymous_allowed | false
+
+If you don't want to specify the user.name in the query string parameter,
+change ozone.recon.http.auth.simple.anonymous_allowed to true.
+
+
+### Enable SIMPLE authentication for SCM HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.scm.http.auth.type | simple
+ozone.scm.http.auth.simple.anonymous_allowed | false
+
+If you don't want to specify the user.name in the query string parameter,
+change ozone.scm.http.auth.simple.anonymous_allowed to true.
+
+### Enable SIMPLE authentication for DATANODE HTTP
+Property| Value
+-----------------------------------|-----------------------------------------
+ozone.datanode.http.auth.type | simple
+ozone.datanode.http.auth.simple.anonymous_allowed | false
+
+If you don't want to specify the user.name in the query string parameter,
+change ozone.datanode.http.auth.simple.anonymous_allowed to true.
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
index 9cb4992d527..80cc96020e2 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
@@ -115,9 +115,11 @@ public BaseHttpServer(ConfigurationSource conf, String name)
if (isSecurityEnabled) {
String httpAuthType = conf.get(getHttpAuthType(), "simple");
LOG.info("HttpAuthType: {} = {}", getHttpAuthType(), httpAuthType);
+ // Ozone config prefix must be set to avoid AuthenticationFilter
+ // fall back to default one form hadoop.http.authentication.
+ builder.authFilterConfigurationPrefix(getHttpAuthConfigPrefix());
if (httpAuthType.equals("kerberos")) {
builder.setSecurityEnabled(true);
- builder.authFilterConfigurationPrefix(getHttpAuthConfigPrefix());
builder.setUsernameConfKey(getSpnegoPrincipal());
builder.setKeytabConfKey(getKeytabFile());
}
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java
index a37a08c6c90..2d74898fb79 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java
@@ -572,12 +572,13 @@ private HttpServer2(final Builder b) throws IOException {
this.findPort = b.findPort;
this.portRanges = b.portRanges;
initializeWebServer(b.name, b.hostName, b.conf, b.pathSpecs,
- b.authFilterConfigurationPrefix);
+ b.authFilterConfigurationPrefix, b.securityEnabled);
}
private void initializeWebServer(String name, String hostName,
ConfigurationSource conf, String[] pathSpecs,
- String authFilterConfigPrefix) throws IOException {
+ String authFilterConfigPrefix,
+ boolean securityEnabled) throws IOException {
Preconditions.checkNotNull(webAppContext);
@@ -614,14 +615,17 @@ private void initializeWebServer(String name, String hostName,
final FilterInitializer[] initializers = getFilterInitializers(conf);
if (initializers != null) {
conf.set(BIND_ADDRESS, hostName);
+ org.apache.hadoop.conf.Configuration hadoopConf =
+ LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
+ Map filterConfig = getFilterConfigMap(hadoopConf,
+ authFilterConfigPrefix);
for (FilterInitializer c : initializers) {
- //c.initFilter(this, conf) does not work here as it does not take config
- // prefix key.
- Map filterConfig = getFilterConfigMap(
- LegacyHadoopConfigurationSource.asHadoopConfiguration(conf),
- authFilterConfigPrefix);
- addFilter("authentication", AuthenticationFilter.class.getName(),
- filterConfig);
+ if ((c instanceof AuthenticationFilterInitializer) && securityEnabled) {
+ addFilter("authentication",
+ AuthenticationFilter.class.getName(), filterConfig);
+ } else {
+ c.initFilter(this, hadoopConf);
+ }
}
}
diff --git a/hadoop-ozone/integration-test/src/test/resources/log4j.properties b/hadoop-ozone/integration-test/src/test/resources/log4j.properties
index b8ad21d6c7f..e5381ad212f 100644
--- a/hadoop-ozone/integration-test/src/test/resources/log4j.properties
+++ b/hadoop-ozone/integration-test/src/test/resources/log4j.properties
@@ -19,3 +19,6 @@ log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} [%t] %-5p %c{2} (%F:%
log4j.logger.org.apache.hadoop.security.ShellBasedUnixGroupsMapping=ERROR
log4j.logger.org.apache.hadoop.util.NativeCodeLoader=ERROR
+
+log4j.logger.org.apache.ratis.grpc.server.GrpcLogAppender=DEBUG
+log4j.logger.org.apache.ratis.server.impl.RaftServerImpl=DEBUG