[jira] Commented: (HADOOP-6568) Authorization for default servlets

Wed, 24 Feb 2010 15:45:53 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-6568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838093#action_12838093
 ] 

Ravi Gummadi commented on HADOOP-6568:
--------------------------------------

Patch looks good. Verified on the web UI for access of /logs, /conf, /stacks, 
/metrics, and /logLevel.

Some minor comments:

(1) Description of config property in core-default.xml needs to be corrected.
>>For specifying a list of users and groups the format to use is "user1,user2 
>>group1,group". If set to '*', it allows all users/groups to modify this job.
As this is not job-specific config, change the above to something like
For specifying a list of users and groups the format to use is "user1,user2 
group1,group2". If set to '*', it allows all users to view logs, conf, metrics, 
stacks, etc.

(2) Please add some javadoc for methods in testcase.

(3) Error message displayed when authorization fails can be improved by adding 
quotes for the value of adminsAclString ?
Currently, it is like -- 
User user2 is unauthorized to access this page. Only superusers/supergroup 
user1 group1,group2 can access this page.
It would look better with quotes:
User user2 is unauthorized to access this page. Only superusers/supergroup 
"user1 group1,group2" can access this page.


> Authorization for default servlets
> ----------------------------------
>
>                 Key: HADOOP-6568
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6568
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Vinod K V
>            Assignee: Vinod K V
>             Fix For: 0.22.0
>
>         Attachments: HADOOP-6568-20100216.txt, HADOOP-6568-20100224.1.txt, 
> HADOOP-6568-20100224.txt
>
>
> We have the following default servlets: /logs, /static, /stacks, /logLevel, 
> /metrics, /conf. Barring "/static", rest of the servlets provide information 
> that is only for administrators. In the context of security for the 
> web-servlets, we need protected access to these pages.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to