hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Zhuge (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-14786) HTTP default servlets do not require authentication when kerberos is enabled
Date Fri, 18 Aug 2017 02:03:00 GMT
John Zhuge created HADOOP-14786:

             Summary: HTTP default servlets do not require authentication when kerberos is
                 Key: HADOOP-14786
                 URL: https://issues.apache.org/jira/browse/HADOOP-14786
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.8.0
            Reporter: John Zhuge
            Assignee: John Zhuge

The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not require authentication
when Kerberos is enabled.

  // set up default servlets
  addServlet("stacks", "/stacks", StackServlet.class);
  addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
  addServlet("jmx", "/jmx", JMXJsonServlet.class);
  addServlet("conf", "/conf", ConfServlet.class);

public void addServlet(String name, String pathSpec,
                       Class<? extends HttpServlet> clazz) {
  addInternalServlet(name, pathSpec, clazz, false);
  addFilterPathMapping(pathSpec, webAppContext);
addInternalServlet(…, bool requireAuth)
if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
  LOG.info("Adding Kerberos (SPNEGO) filter to " + name);

{{requireAuth}} is {{false}} for the default servlets inside {{addInternalServlet}}.

The issue can be verified by running the following curl command against NameNode web address
when Kerberos is enabled:
curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'
Expect curl to fail, but it returns JMX anyway.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org

View raw message