[ https://issues.apache.org/jira/browse/HADOOP-14786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wangda Tan updated HADOOP-14786: -------------------------------- Target Version/s: 3.2.0 (was: 3.1.0) > HTTP default servlets do not require authentication when kerberos is enabled > ---------------------------------------------------------------------------- > > Key: HADOOP-14786 > URL: https://issues.apache.org/jira/browse/HADOOP-14786 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.8.0 > Reporter: John Zhuge > Assignee: John Zhuge > Priority: Major > > The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not > require authentication when Kerberos is enabled. > {code:java|title=HttpServer2#addDefaultServlets} > // set up default servlets > addServlet("stacks", "/stacks", StackServlet.class); > addServlet("logLevel", "/logLevel", LogLevel.Servlet.class); > addServlet("jmx", "/jmx", JMXJsonServlet.class); > addServlet("conf", "/conf", ConfServlet.class); > {code} > {code:java|title=HttpServer2#addServlet} > public void addServlet(String name, String pathSpec, > Class<? extends HttpServlet> clazz) { > addInternalServlet(name, pathSpec, clazz, false); > addFilterPathMapping(pathSpec, webAppContext); > {code} > {code:java|title=Httpserver2#addInternalServlet} > addInternalServlet(…, bool requireAuth) > … > if(requireAuth && UserGroupInformation.isSecurityEnabled()) { > LOG.info("Adding Kerberos (SPNEGO) filter to " + name); > {code} > {{requireAuth}} is {{false}} for the default servlets inside > {{addInternalServlet}}. > The issue can be verified by running the following curl command against > NameNode web address when Kerberos is enabled: > {noformat} > kdestroy > curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx' > {noformat} > Expect curl to fail, but it returns JMX anyway. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org