[
https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15568498#comment-15568498
]
Wei-Chiu Chuang commented on HADOOP-13707:
------------------------------------------
[~yuanbo] thanks for working in a patch, however I am not sure if this the
right approach. Like what Allen said, logs are not supposed to be seen by
non-admin if the cluster is Kerberized. I feel like a correct approach is to
add a SPENGO filter for /logs so that it is accessible for Kerberos users just
like /jmx and /logLevel. Does that make sense?
> If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot
> be accessed
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-13707
> URL: https://issues.apache.org/jira/browse/HADOOP-13707
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Yuanbo Liu
> Assignee: Yuanbo Liu
> Labels: security
> Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch,
> HADOOP-13707.003.patch
>
>
> In {{HttpServer2#hasAdministratorAccess}}, it uses
> `hadoop.security.authorization` to detect whether HTTP is authenticated.
> It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If
> Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed,
> such as "/logs", and it will return error message as below:
> {quote}
> HTTP ERROR 403
> Problem accessing /logs/. Reason:
> User dr.who is unauthorized to access this page.
> {quote}
> We should make sure {{HttpServletRequest#getAuthType}} is not null before we
> invoke {{HttpServer2#hasAdministratorAccess}}.
> {{getAuthType}} means to get the authorization scheme of this request
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
