Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5F0D4200C13 for ; Mon, 6 Feb 2017 22:15:07 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 5D850160B56; Mon, 6 Feb 2017 21:15:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8271F160B53 for ; Mon, 6 Feb 2017 22:15:06 +0100 (CET) Received: (qmail 10563 invoked by uid 500); 6 Feb 2017 21:15:05 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 10554 invoked by uid 99); 6 Feb 2017 21:15:05 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Feb 2017 21:15:05 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 69D2FDFCA3; Mon, 6 Feb 2017 21:15:05 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: xiao@apache.org To: common-commits@hadoop.apache.org Message-Id: <2e10467051494daaa79e0b963dfe8a92@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: hadoop git commit: HADOOP-14047. Require admin to access KMS instrumentation servlets. Contributed by John Zhuge. Date: Mon, 6 Feb 2017 21:15:05 +0000 (UTC) archived-at: Mon, 06 Feb 2017 21:15:07 -0000 Repository: hadoop Updated Branches: refs/heads/trunk 663e683ad -> d88497d44 HADOOP-14047. Require admin to access KMS instrumentation servlets. Contributed by John Zhuge. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d88497d4 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d88497d4 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d88497d4 Branch: refs/heads/trunk Commit: d88497d44a7c34ae4cf0295c89b3584d834057d5 Parents: 663e683 Author: Xiao Chen Authored: Mon Feb 6 13:14:17 2017 -0800 Committer: Xiao Chen Committed: Mon Feb 6 13:14:17 2017 -0800 ---------------------------------------------------------------------- .../crypto/key/kms/server/KMSConfiguration.java | 2 ++ .../hadoop/crypto/key/kms/server/KMSWebApp.java | 10 ------ .../crypto/key/kms/server/KMSWebServer.java | 3 ++ .../src/main/resources/kms-default.xml | 14 ++++++++ .../hadoop-kms/src/site/markdown/index.md.vm | 38 ++++++++++++++++++-- 5 files changed, 55 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/d88497d4/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java index 1ef6c4e..cf02dd1 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java @@ -48,6 +48,8 @@ public class KMSConfiguration { public static final int HTTP_PORT_DEFAULT = 9600; public static final String HTTP_HOST_KEY = "hadoop.kms.http.host"; public static final String HTTP_HOST_DEFAULT = "0.0.0.0"; + public static final String HTTP_ADMINS_KEY = + "hadoop.kms.http.administrators"; // SSL properties public static final String SSL_ENABLED_KEY = "hadoop.kms.ssl.enabled"; http://git-wip-us.apache.org/repos/asf/hadoop/blob/d88497d4/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java index 857139f..ac24105 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java @@ -34,9 +34,7 @@ import org.apache.hadoop.crypto.key.CachingKeyProvider; import org.apache.hadoop.crypto.key.KeyProvider; import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension; import org.apache.hadoop.crypto.key.KeyProviderFactory; -import org.apache.hadoop.http.HttpServer2; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.util.VersionInfo; import org.apache.log4j.PropertyConfigurator; import org.slf4j.Logger; @@ -144,14 +142,6 @@ public class KMSWebApp implements ServletContextListener { kmsAudit = new KMSAudit(kmsConf); - // this is required for the the JMXJsonServlet to work properly. - // the JMXJsonServlet is behind the authentication filter, - // thus the '*' ACL. - sce.getServletContext().setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, - kmsConf); - sce.getServletContext().setAttribute(HttpServer2.ADMINS_ACL, - new AccessControlList(AccessControlList.WILDCARD_ACL_VALUE)); - // intializing the KeyProvider String providerString = kmsConf.get(KMSConfiguration.KEY_PROVIDER_URI); if (providerString == null) { http://git-wip-us.apache.org/repos/asf/hadoop/blob/d88497d4/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java index 02c4a42..1141824 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java @@ -27,6 +27,7 @@ import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.conf.ConfigurationWithLogging; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.http.HttpServer2; +import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.hadoop.util.StringUtils; import org.slf4j.Logger; @@ -84,6 +85,8 @@ public class KMSWebServer { .setConf(conf) .setSSLConf(sslConf) .authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX) + .setACL(new AccessControlList(conf.get( + KMSConfiguration.HTTP_ADMINS_KEY, " "))) .addEndpoint(endpoint) .build(); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/d88497d4/hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml b/hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml index 2b178b8..7055f2d 100644 --- a/hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml +++ b/hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml @@ -38,6 +38,20 @@ + hadoop.kms.http.administrators + + ACL for the admins, this configuration is used to control + who can access the default KMS servlets. The value should be a comma + separated list of users and groups. The user list comes first and is + separated by a space followed by the group list, + e.g. "user1,user2 group1,group2". Both users and groups are optional, + so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2" + are all valid (note the leading space in " group1"). '*' grants access + to all users and groups, e.g. '*', '* ' and ' *' are all valid. + + + + hadoop.kms.ssl.enabled false http://git-wip-us.apache.org/repos/asf/hadoop/blob/d88497d4/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm index 09284e5..7b4b518 100644 --- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm +++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm @@ -1063,13 +1063,13 @@ configuration properties instead. Environment Variable | Configuration Property | Configuration File -------------------------|------------------------------|-------------------- +KMS_TEMP | hadoop.http.temp.dir | kms-site.xml KMS_HTTP_PORT | hadoop.kms.http.port | kms-site.xml KMS_MAX_HTTP_HEADER_SIZE | hadoop.http.max.request.header.size and hadoop.http.max.response.header.size | kms-site.xml KMS_MAX_THREADS | hadoop.http.max.threads | kms-site.xml KMS_SSL_ENABLED | hadoop.kms.ssl.enabled | kms-site.xml KMS_SSL_KEYSTORE_FILE | ssl.server.keystore.location | ssl-server.xml KMS_SSL_KEYSTORE_PASS | ssl.server.keystore.password | ssl-server.xml -KMS_TEMP | hadoop.http.temp.dir | kms-site.xml $H3 Default HTTP Services @@ -1080,4 +1080,38 @@ Name | Description /logLevel | Get or set log level per class /logs | Display log files /stacks | Display JVM stacks -/static/index.html | The static home page \ No newline at end of file +/static/index.html | The static home page + +To control the access to servlet `/conf`, `/jmx`, `/logLevel`, `/logs`, +and `/stacks`, configure the following properties in `kms-site.xml`: + +```xml + + hadoop.security.authorization + true + Is service-level authorization enabled? + + + + hadoop.security.instrumentation.requires.admin + true + + Indicates if administrator ACLs are required to access + instrumentation servlets (JMX, METRICS, CONF, STACKS). + + + + + hadoop.kms.http.administrators + + ACL for the admins, this configuration is used to control + who can access the default KMS servlets. The value should be a comma + separated list of users and groups. The user list comes first and is + separated by a space followed by the group list, + e.g. "user1,user2 group1,group2". Both users and groups are optional, + so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2" + are all valid (note the leading space in " group1"). '*' grants access + to all users and groups, e.g. '*', '* ' and ' *' are all valid. + + +``` \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-commits-help@hadoop.apache.org