hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jing Zhao (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-5217) Namenode log directory link is inaccessible in secure cluster
Date Wed, 25 Sep 2013 23:11:03 GMT

     [ https://issues.apache.org/jira/browse/HDFS-5217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Jing Zhao updated HDFS-5217:

    Attachment: HDFS-5217.001.patch

Update the patch. 

I followed the instruction in the HttpAuthentication link and enabled Spnego authentication
in the http server. The old patch did not break the Spnego, but with Spnego enabled the log
directory link is inaccessible again.

Since the cause of the issue is that the getRemoteUser call on the http request returns null,
and the AuthenticationFilter wraps the http request with the short name retrieved from the
token, we do not need to add the security handler (and the user realm) when AuthenticationFilter
is specified. So in the new patch I simply check if AuthenticationFilter has been specified
in the configuration.

I have locally tested the patch with/without specifying Spnego. And with the patch the log
directory link can be visited.
> Namenode log directory link is inaccessible in secure cluster
> -------------------------------------------------------------
>                 Key: HDFS-5217
>                 URL: https://issues.apache.org/jira/browse/HDFS-5217
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Jing Zhao
>            Assignee: Jing Zhao
>         Attachments: HDFS-5217.000.patch, HDFS-5217.001.patch
> Currently in a secured HDFS cluster, 401 error is returned when clicking the "NameNode
Logs" link.
> Looks like the cause of the issue is that the httpServer does not correctly set the security
handler and the user realm currently, which causes the httpRequest.getRemoteUser (for the
log URL) to return null and later be overwritten to the default web name (e.g., "dr.who")
by the filter. In the meanwhile, in a secured cluster the log URL requires the http user to
be an administrator. That's why we see the 401 error.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message