hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johndee Burks (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-14737) Problem accessing /logs in a Kerberized Hive Server 2 Web UI
Date Fri, 07 Apr 2017 18:05:42 GMT

    [ https://issues.apache.org/jira/browse/HIVE-14737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15961200#comment-15961200
] 

Johndee Burks commented on HIVE-14737:
--------------------------------------

I have looked into this and the problem is the following code. 

[Code Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/AdminAuthorizedServlet.java#L39]


{code}
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    // Do the authorization
    if (HttpServer.hasAdministratorAccess(getServletContext(), request,
        response)) {
      // Authorization is done. Just call super.
      super.doGet(request, response);
{code}

In a secure cluster HttpServer.hasAdministratorAccess will always evaluate false because of
HADOOP_SECURITY_AUTHORIZATION. The code can be seen below. 

[Code Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/HttpServer.java#L259]

{code}
  static boolean hasAdministratorAccess(
      ServletContext servletContext, HttpServletRequest request,
      HttpServletResponse response) throws IOException {
    Configuration conf =
        (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
    // If there is no authorization, anybody has administrator access.
    if (!conf.getBoolean(
        CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
      return true;
    }
{code}

I am fairly certain if HttpServer.hasAdministratorAccess is changed to HttpServer. isInstrumentationAccessAllowed
this would work without issue. I am looking into the implications of making this change. 

> Problem accessing /logs in a Kerberized Hive Server 2 Web UI
> ------------------------------------------------------------
>
>                 Key: HIVE-14737
>                 URL: https://issues.apache.org/jira/browse/HIVE-14737
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 1.1.0
>            Reporter: Matyas Orhidi
>            Assignee: Johndee Burks
>
> The /logs menu fails with error [1] when the cluster is Kerberized. Other menu items
are working properly.
> [1] HTTP ERROR: 401
> Problem accessing /logs/. Reason:
>     Unauthenticated users are not authorized to access this page.
> Powered by Jetty://



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message