when Kerberos

Jeffrey E Rodriguez (JIRA) Thu, 08 Sep 2016 00:45:07 -0700

    [ 
https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15473114#comment-15473114
 ]


Jeffrey E  Rodriguez commented on HADOOP-13119:
-----------------------------------------------

Hi Eric you are right only /stacks, /logLevel, /metrics, /jmx, and /conf are 
set with SPNEGO authentication (through addServlet method).
/logs access  is just controlled by the HttpServer2.hasAdministratorAccess 
method but is not being set with SPNEGO filter.

SPNEGO authentication is done through the SpnegoFilter which need to be 
configured to the correct Hadoop security class. 
hadoop.http.filter.initializers  
org.apache.hadoop.security.AuthenticationFilterInitializer.

Why it was done this way? I think dfs.cluster.administrators setting which is 
used in HttpServer2.hasAdministratorAccess is related to this. 

I would curious about the opinion of the community.

In my user case the access to /logs is through a proxy server (knox) so the end 
user accessing the logs is the remote user (knox).

The user I would expect is the doAs user but since access to /logs servlet is 
not using SPNEGO there is not really a doAs (there is no authentication).




> Web UI authorization error accessing /logs/ when Kerberos
> ---------------------------------------------------------
>
>                 Key: HADOOP-13119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13119
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Eric Yang
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to 
> /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by 
> default don't have access to secure paths.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HADOOP-13119) Web UI authorization error accessing /logs/ when Kerberos

Reply via email to