hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuanbo Liu (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-13119) Web UI error accessing links which need authorization when Kerberos
Date Mon, 07 Nov 2016 03:19:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15642960#comment-15642960
] 

Yuanbo Liu edited comment on HADOOP-13119 at 11/7/16 3:18 AM:
--------------------------------------------------------------

[~Wancy]
Thanks for your response.
I have two concerns about using delegation token initializer:
* delegation filter and SPENGO filter are different, using delegation filter which supports
proxy user will change url rules and the way you request those urls. I believe it will bring
a lot of code changes in Knox since the current code is based on SPENGO filter, right?
* delegation filter and SPENGO filter cannot coexist. If we replace SPENGO initializer with
delegation initializer, it will bring incompatibility issue in some downstream components
because of such piece of code here:
{code}
if (initializer.getName().equals(
      AuthenticationFilterInitializer.class.getName())) {
      hasHadoopAuthFilterInitializer = true;
}
{code}

Thus, I'd prefer extending SPENGO filter and make it support proxy user.
  



was (Author: yuanbo):
[~Wancy]
Thanks for your response.
I have to concerns about using delegation token initializer:
* delegation filter and SPENGO filter are different, using delegation filter which supports
proxy user will change url rules and the way you request those urls. I believe it will bring
a lot of code changes in Knox since the current code is based on SPENGO filter, right?
* delegation filter and SPENGO filter cannot coexist. If we replace SPENGO initializer with
delegation initializer, it will bring incompatibility issue in some downstream components
because of such piece of code here:
{code}
if (initializer.getName().equals(
      AuthenticationFilterInitializer.class.getName())) {
      hasHadoopAuthFilterInitializer = true;
}
{code}

Thus, I'd prefer extending SPENGO filter and make it support proxy user.
  


> Web UI error accessing links which need authorization when Kerberos
> -------------------------------------------------------------------
>
>                 Key: HADOOP-13119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13119
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Yuanbo Liu
>              Labels: security
>         Attachments: screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by default don't
have access to secure paths.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message