hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuanbo Liu (JIRA)" <j...@apache.org>
Subject [jira] [Reopened] (HADOOP-13119) Web UI error accessing links which need authorization when Kerberos
Date Fri, 10 Feb 2017 06:53:42 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Yuanbo Liu reopened HADOOP-13119:
---------------------------------

Reopen it. Because because for some links(such as "/jmx, /stack"), blocking the links in filter
chain because of impersonation issue is not friendly for users. For example, user "sam" is
not allowed to be impersonated by user "knox", the link "/jmx" doesn't need any user to do
authorization by default, and it only needs user "knox" to do authentication, in this case,
it's not right to  block the access in SPNEGO filter. We intend to verify the impersonation
when the method "getRemoteUser" of request is used, so that such kind of links would not be
blocked by mistake. I will attach a new patch ASAP.

> Web UI error accessing links which need authorization when Kerberos
> -------------------------------------------------------------------
>
>                 Key: HADOOP-13119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13119
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Yuanbo Liu
>              Labels: security
>             Fix For: 2.7.4, 2.8.1
>
>         Attachments: HADOOP-13119.001.patch, HADOOP-13119.002.patch, HADOOP-13119.003.patch,
HADOOP-13119.004.patch, HADOOP-13119.005.patch, HADOOP-13119.005.patch, screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by default don't
have access to secure paths.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message