[jira] [Updated] (HDDS-6467) OzoneManager /loglevel endpoint SPNEGO auth is not working

Wed, 16 Mar 2022 21:38:04 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Siyao Meng updated HDDS-6467:
-----------------------------
    Summary: OzoneManager /loglevel endpoint SPNEGO auth is not working  (was: 
OzoneManager /loglevel endpoint SPNEGO auth is broken)

> OzoneManager /loglevel endpoint SPNEGO auth is not working
> ----------------------------------------------------------
>
>                 Key: HDDS-6467
>                 URL: https://issues.apache.org/jira/browse/HDDS-6467
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: OM
>    Affects Versions: 1.3.0
>            Reporter: Siyao Meng
>            Priority: Major
>
> This might not be limited to OM, could affect SCM and others as well as they 
> may share the logic.
> Repro:
> 1. kinit authenticated with Kerberos as user {{om}}
> 2. Then curl, but endpoint returns 403 Forbidden:
> {code:bash}
> $ curl -k --negotiate -u : 
> "https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 Unauthenticated users are not authorized to access this 
> page.</title>
> </head>
> <body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access 
> this page.</h2>
> <table>
> <tr><th>URI:</th><td>/logLevel</td></tr>
> <tr><th>STATUS:</th><td>403</td></tr>
> <tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access 
> this page.</td></tr>
> <tr><th>SERVLET:</th><td>logLevel</td></tr>
> </table>
> </body>
> </html>
> {code}
> OM log prints the user name is {{dr.who}}:
> {code}
> 2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who 
> is unauthorized to access the page /logLevel.
> 2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who 
> is unauthorized to access the page /logLevel.
> {code}
> Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth 
> configured correctly.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to