hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-8343) Allow configuration of authorization for JmxJsonServlet and MetricsServlet
Date Wed, 02 May 2012 21:28:52 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Alejandro Abdelnur updated HADOOP-8343:

    Attachment: HADOOP-8343.patch

After further digging I think figured out how things are supposed to work:

# the instrumentation servlets (stacks/, logLevel/, conf/, metrics/, jmx/) are not to be authentication
protected by the built-in SPNEGO filter.
# the instrumentation servlets are authentication protected if an custom filter (via FilterInitializer)
is added.
# the instrumentation servlets had a check hasAdminAccess() that guards it access restricting
access to admin users if security/authorization is ON. This check was incorrect and was fixed
by HADOOP-8314

HADOOP-8314 fix had a side effect of disabling access to instrumentation if the user is not
in an ACL.

While that may be desirable in certain deployments, it is quite common (and reasonable) to
have instrumentation access without requiring authentication or authorization.

The attached patch then introduces (as the original approach suggested) a property *hadoop.security.authorization.for.instrumentation*
to enforce or not authorization on the instrumentation servlets. The patch does not do any
changes related to authentication requirements (which can still be done adding a filter via
a filter initializer). The patch modifies the 5 instrumentation servlets to use the new logic
(encapsulated in the *checkInstrumentationAccess()* method)

> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>                 Key: HADOOP-8343
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8343
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: util
>    Affects Versions: 2.0.0
>            Reporter: Philip Zeyliger
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-8343.patch, HADOOP-8343.patch
> When using authorization for the daemons' web server, it would be useful to specifically
control the authorization requirements for accessing /jmx and /metrics.  Currently, they require
administrative access.  This JIRA would propose that whether or not they are available to
administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator"
(or similar).  The default would be that administrator access is required.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message