[
https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yuanbo Liu updated HADOOP-13707:
--------------------------------
Description:
In {{HttpServer2#hasAdministratorAccess}}, it uses
`hadoop.security.authorization` to detect whether HTTP is authenticated.
It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If
Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed,
such as "/logs", and it will return error message as below:
{quote}
HTTP ERROR 403
Problem accessing /logs/. Reason:
User dr.who is unauthorized to access this page.
{quote}
We should make sure {{HttpServletRequest#getAuthType}} is not null before we
invoke {{HttpServer2#hasAdministratorAccess}}.
{{getAuthType}} means to get the authorization scheme of this request
was:
In {{HttpServer2#hasAdministratorAccess}}, it uses
`hadoop.security.authorization` to detect whether HTTP is authenticated.
It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If
Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed,
such as "/logs", and it will return error message as below:
{quote}
HTTP ERROR 403
Problem accessing /logs/. Reason:
User dr.who is unauthorized to access this page.
{quote}
We should use {{hadoop.http.authentication.type}} instead of
{{hadoop.security.authorization}} to detect whether HTTP authentication is
enabled, if the value of {{hadoop.http.authentication.type}} equals `simple`,
anybody has administrator access.
> If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot
> be accessed
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-13707
> URL: https://issues.apache.org/jira/browse/HADOOP-13707
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Yuanbo Liu
> Labels: security
> Attachments: HADOOP-13707.001.patch
>
>
> In {{HttpServer2#hasAdministratorAccess}}, it uses
> `hadoop.security.authorization` to detect whether HTTP is authenticated.
> It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If
> Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed,
> such as "/logs", and it will return error message as below:
> {quote}
> HTTP ERROR 403
> Problem accessing /logs/. Reason:
> User dr.who is unauthorized to access this page.
> {quote}
> We should make sure {{HttpServletRequest#getAuthType}} is not null before we
> invoke {{HttpServer2#hasAdministratorAccess}}.
> {{getAuthType}} means to get the authorization scheme of this request
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
