[
https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15472960#comment-15472960
]
Eric Yang commented on HADOOP-13119:
------------------------------------
Hi Arpit,
There is no authentication done for /log servlet. If the log url is proxy
through Knox or using SPNEGO for authentication. HDFS log url is passing
through unfiltered. Reopen this because this problem is general in
hadoop/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
addDefaultApps method supposed to honor http authentication method (SPNEGO or
simple), and choose suitable filter accordingly. This part of code seems to be
missing.
> Web UI authorization error accessing /logs/ when Kerberos
> ---------------------------------------------------------
>
> Key: HADOOP-13119
> URL: https://issues.apache.org/jira/browse/HADOOP-13119
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.8.0, 2.7.4
> Reporter: Jeffrey E Rodriguez
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v --negotiate -u tester: http://localhost:50070/logs/
> HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to
> /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by
> default don't have access to secure paths.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
