[
https://issues.apache.org/jira/browse/HDDS-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Krishna Kumar Asawa reassigned HDDS-6467:
-----------------------------------------
Assignee: Muskan Mishra
> OzoneManager /loglevel endpoint authentication is not working
> -------------------------------------------------------------
>
> Key: HDDS-6467
> URL: https://issues.apache.org/jira/browse/HDDS-6467
> Project: Apache Ozone
> Issue Type: Bug
> Components: OM
> Affects Versions: 1.3.0
> Reporter: Siyao Meng
> Assignee: Muskan Mishra
> Priority: Major
>
> This might not be limited to OM, could affect SCM and others as well as they
> may share the logic.
> Repro:
> 1. kinit authenticated with Kerberos as user {{om}}
> 2. Then curl, but endpoint returns 403 Forbidden:
> {code:bash}
> $ curl -k --negotiate -u :
> "https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 Unauthenticated users are not authorized to access this
> page.</title>
> </head>
> <body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
> this page.</h2>
> <table>
> <tr><th>URI:</th><td>/logLevel</td></tr>
> <tr><th>STATUS:</th><td>403</td></tr>
> <tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
> this page.</td></tr>
> <tr><th>SERVLET:</th><td>logLevel</td></tr>
> </table>
> </body>
> </html>
> {code}
> OM log prints the user name is {{dr.who}}:
> {code}
> 2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who
> is unauthorized to access the page /logLevel.
> 2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who
> is unauthorized to access the page /logLevel.
> {code}
> The {{/, /stacks, /jmx, /conf}} endpoints are working just fine. But these
> four doesn't seem to require auth at all (works even after {{kdestroy}} or
> without {{--negotiate -u :}}) on the cluster:
> {code:bash}
> $ curl -k --negotiate -u : "https://<OM_HOST>:9875/"
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one or more
> ...
> {code}
> Above test is conducted on an actual cluster. Should be able to repro in
> {{ozonesecure}} docker as well if it enables SPNEGO/SSL.
> curl -v doesn't show any {{gss_init_sec_context() failed: : No Kerberos
> credentials available}} message, indicating the server doesn't ask for SPNEGO
> auth at all.
> A correct SPNEGO negotiation should have {{Authorization: Negotiate AAA}}
> header from client to server, then {{WWW-Authenticate: Negotiate BBB}} from
> server to client.
> It seems {{request.getRemoteUser()}} in this check is incorrectly returning
> the user as {{dr.who}} here:
> https://github.com/apache/hadoop/blob/branch-3.3.1/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java#L1569-L1583
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
