[
https://issues.apache.org/jira/browse/HDDS-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-6467:
-----------------------------
Description:
This might not be limited to OM, could affect SCM and others as well as they
may share the logic.
Repro:
1. Authenticated with Kerberos as `om` user
2. Then curl, but endpoint returns 403 Forbidden:
{code:bash}
$ curl -k --negotiate -u :
"https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 Unauthenticated users are not authorized to access this
page.</title>
</head>
<body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
this page.</h2>
<table>
<tr><th>URI:</th><td>/logLevel</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
this page.</td></tr>
<tr><th>SERVLET:</th><td>logLevel</td></tr>
</table>
</body>
</html>
{code}
OM log prints the user name is {{dr.who}}:
{code}
2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
{code}
Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth configured
correctly.
was:
This might not be limited to OM, could affect SCM and others as well as they
may share the logic.
Repro:
1. Authenticated with Kerberos as `om` user
2. Then curl, but endpoint returns 403 Forbidden:
{code:bash}
$ curl -k --negotiate -u :
"https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 Unauthenticated users are not authorized to access this
page.</title>
</head>
<body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
this page.</h2>
<table>
<tr><th>URI:</th><td>/logLevel</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
this page.</td></tr>
<tr><th>SERVLET:</th><td>logLevel</td></tr>
</table>
</body>
</html>
```
OM log prints the user name is {{dr.who}}:
```
2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
```
Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth configured
correctly.
> OzoneManager /loglevel endpoint SPNEGO auth is broken
> -----------------------------------------------------
>
> Key: HDDS-6467
> URL: https://issues.apache.org/jira/browse/HDDS-6467
> Project: Apache Ozone
> Issue Type: Bug
> Components: OM
> Affects Versions: 1.3.0
> Reporter: Siyao Meng
> Priority: Major
>
> This might not be limited to OM, could affect SCM and others as well as they
> may share the logic.
> Repro:
> 1. Authenticated with Kerberos as `om` user
> 2. Then curl, but endpoint returns 403 Forbidden:
> {code:bash}
> $ curl -k --negotiate -u :
> "https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 Unauthenticated users are not authorized to access this
> page.</title>
> </head>
> <body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
> this page.</h2>
> <table>
> <tr><th>URI:</th><td>/logLevel</td></tr>
> <tr><th>STATUS:</th><td>403</td></tr>
> <tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
> this page.</td></tr>
> <tr><th>SERVLET:</th><td>logLevel</td></tr>
> </table>
> </body>
> </html>
> {code}
> OM log prints the user name is {{dr.who}}:
> {code}
> 2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who
> is unauthorized to access the page /logLevel.
> 2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who
> is unauthorized to access the page /logLevel.
> {code}
> Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth
> configured correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
