[jira] [Commented] (HADOOP-13119) Web UI error accessing links which need authorization when Kerberos

Fri, 10 Feb 2017 07:15:02 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861390#comment-15861390
 ] 

Eric Yang commented on HADOOP-13119:
------------------------------------

Yuanbo, I would recommend to open a new JIRA for the new problem that you 
found.  The original JIRA did not mention about /jmx and there are good reason 
to keep jmx readable by system users only.  For example, Ambari metrics system 
suppose to have access to /jmx to collect stats.  ams is not impersonating to 
access /jmx.  In this case, it should fall back to reporting ams as remote 
user.  Some links should be treated differently when they are system facing vs 
user facing.  Let's not mutate the JIRA for the newly founded use case.  Thank 
you

> Web UI error accessing links which need authorization when Kerberos
> -------------------------------------------------------------------
>
>                 Key: HADOOP-13119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13119
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Yuanbo Liu
>              Labels: security
>             Fix For: 2.7.4, 3.0.0-alpha2, 2.8.1
>
>         Attachments: HADOOP-13119.001.patch, HADOOP-13119.002.patch, 
> HADOOP-13119.003.patch, HADOOP-13119.004.patch, HADOOP-13119.005.patch, 
> HADOOP-13119.005.patch, screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to 
> /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by 
> default don't have access to secure paths.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to