joshelser commented on issue #936: HBASE-17115 Define UI admins via an ACL URL: https://github.com/apache/hbase/pull/936#issuecomment-577976481 Alright, I think the last commit does this right now. There was a problem in my previous patches in that the API I added -- trying to have `privileged` and `unprivileged` methods for adding a servlet to the HttpServer were half-baked. I have this working now so that we don't have to be injecting authz logic into every servlet we write. Just, when we add it to the HttpServer/InfoServer, we call the appropriate method to restrict (or not) access to admins only. I added some more unit tests which show that both the contexts (e.g. `/logs/`) and the servlets (e.g. `/dump`) both work for admins and reject it for non-admins. There was some trickiness in cleaning this up: we have a bit of cruft in the HttpServer logic. * We need to add our "default apps" * Then add the filters we want to apply globally (e.g. spnego, security headers, etc) * Then we add all the servlets, optionally adding in the new `AdminAuthorizedFilter` when we register that filter * * That new Filter is the piece which, added at the end of the filter chain (meaning, after all of our other filters we expect to run all the time), will stop callers from accessing that protected servlet if you're not an admin (`HTTP/403`).
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
