hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuanbo Liu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
Date Tue, 11 Oct 2016 10:12:20 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Yuanbo Liu updated HADOOP-13707:
--------------------------------
    Description: 
In {{HttpServer2#hasAdministratorAccess}}, it uses `hadoop.security.authorization` to detect
whether HTTP is authenticated.
It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If Kerberos is
enabled while HTTP SPNEGO is not, some links cannot be accessed, such as "/logs", and it will
return error message as below:
{quote}
HTTP ERROR 403
Problem accessing /logs/. Reason:
User dr.who is unauthorized to access this page.
{quote}

We should use {{hadoop.http.authentication.type}} instead of {{hadoop.security.authorization}}
to detect whether HTTP authentication is enabled, if the value of  {{hadoop.http.authentication.type}}
 equals `simple`, anybody has administrator access.

  was:
In {{HttpServer2#hasAdministratorAccess}}, it uses `hadoop.security.authorization` to detect
whether HTTP is authenticated.
It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If Kerberos is
enabled while HTTP SPNEGO is not, some links cannot be accessed, such as "/logs", and it will
return error message as below:
{quote}
HTTP ERROR 403
Problem accessing /logs/. Reason:
User dr.who is unauthorized to access this page.
{quote}

We should use {{adoop.http.authentication.type}} instead of {{hadoop.security.authorization}}
to detect whether HTTP authentication is enabled, if the value of  {{hadoop.http.authentication.type}}
 equals `simple`, anybody has administrator access.


> If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13707
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13707
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Yuanbo Liu
>              Labels: security
>         Attachments: HADOOP-13707.001.patch
>
>
> In {{HttpServer2#hasAdministratorAccess}}, it uses `hadoop.security.authorization` to
detect whether HTTP is authenticated.
> It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If Kerberos
is enabled while HTTP SPNEGO is not, some links cannot be accessed, such as "/logs", and it
will return error message as below:
> {quote}
> HTTP ERROR 403
> Problem accessing /logs/. Reason:
> User dr.who is unauthorized to access this page.
> {quote}
> We should use {{hadoop.http.authentication.type}} instead of {{hadoop.security.authorization}}
to detect whether HTTP authentication is enabled, if the value of  {{hadoop.http.authentication.type}}
 equals `simple`, anybody has administrator access.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message