[ https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16141927#comment-16141927 ]
Arpit Agarwal commented on HADOOP-13119: ---------------------------------------- This change looks incompatible. It breaks doAs for kerberized clusters that allow anonymous auth on the RM webserver. It is not a secure setup but I am sure it is being used. Exact exception below (also HADOOP-14728): {code} $ curl -ik 'http://w.x.y.z:8088/ws/v1/cluster/appstatistics/?doAs=guest' HTTP/1.1 500 Null user Cache-Control: must-revalidate,no-cache,no-store Date: Fri, 11 Aug 2017 06:45:28 GMT Pragma: no-cache Date: Fri, 11 Aug 2017 06:45:28 GMT Pragma: no-cache Content-Type: text/html; charset=iso-8859-1 Content-Length: 4288 Server: Jetty(6.1.26.hwx) <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 500 Null user</title> </head> <body><h2>HTTP ERROR 500</h2> <p>Problem accessing /ws/v1/cluster/appstatistics/. Reason: <pre> Null user</pre></p><h3>Caused by:</h3><pre>java.lang.IllegalArgumentException: Null user at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1409) at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1396) at org.apache.hadoop.security.AuthenticationWithProxyUserFilter$1.getRemoteOrProxyUser(AuthenticationWithProxyUserFilter.java:81) at org.apache.hadoop.security.AuthenticationWithProxyUserFilter$1.getRemoteUser(AuthenticationWithProxyUserFilter.java:92) at org.apache.hadoop.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:95) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.apache.hadoop.security.AuthenticationWithProxyUserFilter.doFilter(AuthenticationWithProxyUserFilter.java:101) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:576) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.apache.hadoop.security.http.CrossOriginFilter.doFilter(CrossOriginFilter.java:95) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1426) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450) at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:326) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410) at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) </pre> <hr /><i><small>Powered by Jetty://</small></i><br/> </body> </html> {code} This worked prior to HADOOP-13119. {code} $ curl -ik 'http://w.x.y.z:8088/ws/v1/cluster/appstatistics/?doAs=guest' HTTP/1.1 200 OK Cache-Control: no-cache Expires: Fri, 11 Aug 2017 06:41:24 GMT Date: Fri, 11 Aug 2017 06:41:24 GMT Pragma: no-cache Expires: Fri, 11 Aug 2017 06:41:24 GMT Date: Fri, 11 Aug 2017 06:41:24 GMT Pragma: no-cache Content-Type: application/json X-Frame-Options: SAMEORIGIN Transfer-Encoding: chunked Server: Jetty(6.1.26.hwx) {"appStatInfo":{"statItem":[{"state":"ACCEPTED","type":"*","count":0},{"state":"KILLED","type":"*","count":0},{"state":"NEW","type":"*","count":0},{"state":"FAILED","type":"*","count":14},{"state":"SUBMITTED","type":"*","count":0},{"state":"FINISHED","type":"*","count":932},{"state":"NEW_SAVING","type":"*","count":0},{"state":"RUNNING","type":"*","count":0}]}} {code} Unfortunately this change was released in 2.7.4 but it should probably be reverted it from 2.8.2, 2.7.5 and 2.9.0. cc [~lmc...@apache.org] and found by [~kpandey]. > Add ability to secure log servlet using proxy users > --------------------------------------------------- > > Key: HADOOP-13119 > URL: https://issues.apache.org/jira/browse/HADOOP-13119 > Project: Hadoop Common > Issue Type: Bug > Affects Versions: 2.8.0, 2.7.4 > Reporter: Jeffrey E Rodriguez > Assignee: Yuanbo Liu > Labels: security > Fix For: 2.9.0, 2.7.4, 3.0.0-alpha4, 2.8.2 > > Attachments: HADOOP-13119.001.patch, HADOOP-13119.002.patch, > HADOOP-13119.003.patch, HADOOP-13119.004.patch, HADOOP-13119.005.patch, > HADOOP-13119.005.patch, screenshot-1.png > > > User Hadoop on secure mode. > login as kdc user, kinit. > start firefox and enable Kerberos > access http://localhost:50070/logs/ > Get 403 authorization errors. > only hdfs user could access logs. > Would expect as a user to be able to web interface logs link. > Same results if using curl: > curl -v --negotiate -u tester: http://localhost:50070/logs/ > HTTP/1.1 403 User tester is unauthorized to access this page. > so: > 1. either don't show links if hdfs user is able to access. > 2. provide mechanism to add users to web application realm. > 3. note that we are pass authentication so the issue is authorization to > /logs/ > suspect that /logs/ path is secure in webdescriptor so suspect users by > default don't have access to secure paths. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org