[
https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Yang updated HADOOP-13707:
-------------------------------
Resolution: Fixed
Release Note: Removed security loophole for allow Dr. who to access server
logs.
Status: Resolved (was: Patch Available)
Sorry for breaking branch-2. This has been fixed. Thanks Brahma for trigger
the build. The white space issue isn't related to this patch. Thanks Yuanbo
for follow up.
> If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot
> be accessed
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-13707
> URL: https://issues.apache.org/jira/browse/HADOOP-13707
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Yuanbo Liu
> Assignee: Yuanbo Liu
> Labels: security
> Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2
>
> Attachments: HADOOP-13707-branch-2-addendum.patch,
> HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch,
> HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch,
> HADOOP-13707.004.patch
>
>
> In {{HttpServer2#hasAdministratorAccess}}, it uses
> `hadoop.security.authorization` to detect whether HTTP is authenticated.
> It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If
> Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed,
> such as "/logs", and it will return error message as below:
> {quote}
> HTTP ERROR 403
> Problem accessing /logs/. Reason:
> User dr.who is unauthorized to access this page.
> {quote}
> We should make sure {{HttpServletRequest#getAuthType}} is not null before we
> invoke {{HttpServer2#hasAdministratorAccess}}.
> {{getAuthType}} means to get the authorization scheme of this request
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
