[jira] [Created] (HADOOP-14786) HTTP default servlets do not require authentication when kerberos is enabled

Thu, 17 Aug 2017 19:03:58 -0700 

John Zhuge created HADOOP-14786:
-----------------------------------

             Summary: HTTP default servlets do not require authentication when 
kerberos is enabled
                 Key: HADOOP-14786
                 URL: https://issues.apache.org/jira/browse/HADOOP-14786
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.8.0
            Reporter: John Zhuge
            Assignee: John Zhuge


The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not 
require authentication when Kerberos is enabled.


{code:java|title=HttpServer2#addDefaultServlets}
  // set up default servlets
  addServlet("stacks", "/stacks", StackServlet.class);
  addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
  addServlet("jmx", "/jmx", JMXJsonServlet.class);
  addServlet("conf", "/conf", ConfServlet.class);
{code}

{code:java|title=HttpServer2#addServlet}
public void addServlet(String name, String pathSpec,
                       Class<? extends HttpServlet> clazz) {
  addInternalServlet(name, pathSpec, clazz, false);
  addFilterPathMapping(pathSpec, webAppContext);
{code}
{code:java|title=Httpserver2#addInternalServlet}
addInternalServlet(…, bool requireAuth)
…
if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
  LOG.info("Adding Kerberos (SPNEGO) filter to " + name);
{code}

{{requireAuth}} is {{false}} for the default servlets inside 
{{addInternalServlet}}.

The issue can be verified by running the following curl command against 
NameNode web address when Kerberos is enabled:
{noformat}
kdestroy
curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'
{noformat}
Expect curl to fail, but it returns JMX anyway.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to