Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Date: Fri, 4 Nov 2016 22:56:59 +0000 (UTC)
From: "Shi Wang (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12965916.1462731347000.195910.1478300219035@Atlassian.JIRA>
In-Reply-To: <JIRA.12965916.1462731347000@Atlassian.JIRA>
References: <JIRA.12965916.1462731347000@Atlassian.JIRA> <JIRA.12965916.1462731347891@arcas>
Subject: [jira] [Commented] (HADOOP-13119) Web UI error accessing links
 which need authorization when Kerberos
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
archived-at: Fri, 04 Nov 2016 22:57:01 -0000


    [ https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15637970#comment-15637970 ] 

Shi Wang commented on HADOOP-13119:
-----------------------------------

Hi [~yuanbo],

Your proposes looks good for me, for the second point, there is DelegationTokenAuthenticationFilter that extends AuthenticationFilter and supports proxy user. 
From my opinion, either we can add proxy user support directly in AuthenticationFilter or use the existing DelegationTokenAuthenticationFilter. 
It seems adding directly in AuthenticationFilter is more straight forward and touches less files, but need to verify it is harmless and make sense to add it here.
To use the existing code in DelegationTokenAuthenticationFilter, need to have an authenticationfilterinitializer to add DelegationTokenAuthenticationFilter in the filterchain. 
Because yarn is using RMAuthenticationFilterInitializer to support delegation token authentication and proxy user, we may apply it to  hadoop common.
And by configuring hadoop.http.filter.initializers to self defined authenticationfilterinitializer, we can add filters as needed.

> Web UI error accessing links which need authorization when Kerberos
> -------------------------------------------------------------------
>
>                 Key: HADOOP-13119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13119
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Yuanbo Liu
>              Labels: security
>         Attachments: screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by default don't have access to secure paths.


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org