hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffrey E Rodriguez (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13119) Web UI authorization error accessing /logs/ when Kerberos
Date Thu, 08 Sep 2016 07:44:21 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15473114#comment-15473114
] 

Jeffrey E  Rodriguez commented on HADOOP-13119:
-----------------------------------------------

Hi Eric you are right only /stacks, /logLevel, /metrics, /jmx, and /conf are set with SPNEGO
authentication (through addServlet method).
/logs access  is just controlled by the HttpServer2.hasAdministratorAccess method but is not
being set with SPNEGO filter.

SPNEGO authentication is done through the SpnegoFilter which need to be configured to the
correct Hadoop security class. hadoop.http.filter.initializers  org.apache.hadoop.security.AuthenticationFilterInitializer.

Why it was done this way? I think dfs.cluster.administrators setting which is used in HttpServer2.hasAdministratorAccess
is related to this. 

I would curious about the opinion of the community.

In my user case the access to /logs is through a proxy server (knox) so the end user accessing
the logs is the remote user (knox).

The user I would expect is the doAs user but since access to /logs servlet is not using SPNEGO
there is not really a doAs (there is no authentication).




> Web UI authorization error accessing /logs/ when Kerberos
> ---------------------------------------------------------
>
>                 Key: HADOOP-13119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13119
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Eric Yang
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by default don't
have access to secure paths.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message