[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16399459#comment-16399459 ] Hudson commented on HADOOP-13707: - ABORTED: Integrated in Jenkins build Hadoop-trunk-Commit #13838 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/13838/]) Revert "HADOOP-13707. If kerberos is enabled while HTTP SPNEGO is not (wangda: rev 252c2b4d52e0dd8984d6f2a8f292f40e1c347fab) * (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu >Priority: Major > Labels: security > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15647883#comment-15647883 ] Hudson commented on HADOOP-13707: - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10789 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/10789/]) HADOOP-13707. If kerberos is enabled while HTTP SPNEGO is not (brahma: rev dbb133ccfc00e20622a5dbf7a6e1126fb63d7487) * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java * (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15647866#comment-15647866 ] Brahma Reddy Battula commented on HADOOP-13707: --- Pushed to trunk.. [~ste...@apache.org] can we delete master branch..? Or shalI we discuss in mailing-list..? thanks > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15643934#comment-15643934 ] Brahma Reddy Battula commented on HADOOP-13707: --- [~eyang] this is not committed to trunk. As of now, I am removing the fix version. You committed to [master branch|https://github.com/apache/hadoop/tree/master] which is stale. you can check the master branch commit history in following link, Last commit is on Aug 7, 2015. https://github.com/apache/hadoop/commits/master.. I think, we should delete the master branch.. Let me discuss about removal of master. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15582528#comment-15582528 ] Eric Yang commented on HADOOP-13707: Thanks Brahma and Steve for catching the mistakes. I have amended the patch with MetricsServlet changes, and also applied branch-2.8 patch. Preflight passed this time. Thank you all. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15582521#comment-15582521 ] Yuanbo Liu commented on HADOOP-13707: - [~eyang] Really sorry for not pointing out trunk patch and branch-2.8/branch-2 patch are slightly different because of {{MetricsServlet.java}}. My patches in the attachment contain some changes about {{MetricsServlet.java}}. Hope my mistake won't bother you too much! [~brahmareddy] Thanks a lot for your reminder! > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15582199#comment-15582199 ] Brahma Reddy Battula commented on HADOOP-13707: --- [~eyang] As I mentioned above {{MetricsServlet.java}} changes are missed in branch-2 [Commit|https://github.com/apache/hadoop/commit/439422fff923ae6aea1f7547fe24d0e23fbd8f7f#commitcomment-19446926] ,Please have a look at latest patch uploaded by [~yuanbo] for branch-2 and branch-2.8.. May be you need revert from branch-2 and apply the latest patch for branch-2 OR prepare addedum patch for only {{MetricsServlet.java}} changes. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15582017#comment-15582017 ] Steve Loughran commented on HADOOP-13707: - checking this locally. -Eric's fix for branch-2 has got it happy; Brahma's reversion of the patch from 2.8 has that happy too. I'm going to tweak the tagged release version of this JIRA to 2.9 until a patch that builds goes into 2.8. I'm expecting it to work this time, but do a quick preflight build before pushing up, if you can. At least with weekend patches things can get fixed before our US colleagues get to their keyboards on a monday morning. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15581091#comment-15581091 ] Brahma Reddy Battula commented on HADOOP-13707: --- Yes, again "import javax.servlet.ServletContext" is missed which brokes branch-2 compliation and MetricsServlet changes are not present. Actullay [~yuanbo] patches are correct but same is not get committed...[~eyang] there might be problem while commiting to branch-2 and branch-2.8 from your side. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15581085#comment-15581085 ] Eric Yang commented on HADOOP-13707: WeiWei, thanks for the verification. I just found out git didn't commit LogLevel, and committed accordingly. It should work now. Thanks > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15581065#comment-15581065 ] Weiwei Yang commented on HADOOP-13707: -- Hi [~eyang] Looks like branch-2 is still broken, the {{LogLevel}} class is still missing import causing the compilation failure. Please check. Thank you. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15579275#comment-15579275 ] Hadoop QA commented on HADOOP-13707: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 37s{color} | {color:green} branch-2.8 passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 54s{color} | {color:green} branch-2.8 passed with JDK v1.8.0_101 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 49s{color} | {color:green} branch-2.8 passed with JDK v1.7.0_111 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} branch-2.8 passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 58s{color} | {color:green} branch-2.8 passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 16s{color} | {color:green} branch-2.8 passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 38s{color} | {color:green} branch-2.8 passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 45s{color} | {color:green} branch-2.8 passed with JDK v1.8.0_101 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 57s{color} | {color:green} branch-2.8 passed with JDK v1.7.0_111 {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 40s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 45s{color} | {color:green} the patch passed with JDK v1.8.0_101 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 5m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 52s{color} | {color:green} the patch passed with JDK v1.7.0_111 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 52s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 59s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 16s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s{color} | {color:red} The patch has 47 line(s) that end in whitespace. Use git apply --whitespace=fix <>. Refer https://git-scm.com/docs/git-apply {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 52s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 45s{color} | {color:green} the patch passed with JDK v1.8.0_101 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 56s{color} | {color:green} the patch passed with JDK v1.7.0_111 {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 19s{color} | {color:green} hadoop-common in the patch passed with JDK v1.7.0_111. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 22s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 61m 55s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:5af2af1 | | JIRA Issue | HADOOP-13707 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12833592/HADOOP-13707-branch-2.8.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 49a6066a2212 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | branch-2.8 / 1c47389 | | Default Java | 1.7.0_111 | | Multi-JDK versions |
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15579238#comment-15579238 ] Brahma Reddy Battula commented on HADOOP-13707: --- bq.I was using "Resume Progress" -> "Submit patch", but it didn't work you've to re-upload the patch to run jenkins.. bq.It would be better if the dashboard contains something like "Rerun Jenkins" button. there is rebuild button and build with parameters.Only login users(with apache id) can trigger. I Triggered the jenkins. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15579120#comment-15579120 ] Yuanbo Liu commented on HADOOP-13707: - [~brahmareddy] I have no idea about how re-establish Jenkins job. I was using "Resume Progress" -> "Submit patch", but it didn't work. It would be better if the dashboard contains something like "Rerun Jenkins" button. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15578151#comment-15578151 ] Yuanbo Liu commented on HADOOP-13707: - [~eyang] Thanks for your commit [~brahmareddy] Thanks for your review I've prepared branch-2, branch-2.8 patches for this issue. please see the attachments and review them. Thanks in advance! > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707-branch-2-addendum.patch, > HADOOP-13707-branch-2.8.patch, HADOOP-13707-branch-2.patch, > HADOOP-13707.001.patch, HADOOP-13707.002.patch, HADOOP-13707.003.patch, > HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15577888#comment-15577888 ] Brahma Reddy Battula commented on HADOOP-13707: --- [~eyang] it's broke branch-2 compilation, as it's following import is not there... {{import javax.servlet.ServletContext}}...will attach addendum patch.. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Fix For: 2.8.0, 2.9.0, 3.0.0-alpha2 > > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch, > HADOOP-13707.003.patch, HADOOP-13707.004.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15570527#comment-15570527 ] Hadoop QA commented on HADOOP-13707: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 19s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 9m 5s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 25s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 59s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 13s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 43s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 38s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 49s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 49s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 54s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 13s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 26s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 7m 47s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 23s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 42m 10s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:9560f25 | | JIRA Issue | HADOOP-13707 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12833010/HADOOP-13707.004.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux a8353e013568 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 12d739a | | Default Java | 1.8.0_101 | | findbugs | v3.0.0 | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/10754/testReport/ | | modules | C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/10754/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch, > HADOOP-13707.003.patch, HADOOP-13707.004.patch > > > In
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15568870#comment-15568870 ] Yuanbo Liu commented on HADOOP-13707: - Adding SPENGO filter belongs to enabling SPENGO step. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch, > HADOOP-13707.003.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15568753#comment-15568753 ] Yuanbo Liu commented on HADOOP-13707: - [~jojochuang] Thanks for your comments. {quote} I feel like a correct approach is to add a SPENGO filter... {quote} Yes you're right, actually I'm ready to add a SPENGO filter with delegation feature in HADOOP-13119. But as I said, enabling Kerberos and SPENGO are two steps. If users enable Kerberos without SPENGO, that means the http sever of the cluster is in non-security environment. In this situation, static user's authorization shouldn't be checked. In the very first installation of Hadoop, http sever is also in non-security environment without any authorization check. So I think the behavior here should be consistent and "dr.who" issue should be avoid. Thanks again for your comments, looking forward to your response. :) > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch, > HADOOP-13707.003.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15568512#comment-15568512 ] Hadoop QA commented on HADOOP-13707: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 8m 25s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 4s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 14s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 32s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 46s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 11s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 8m 11s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 27s{color} | {color:orange} hadoop-common-project/hadoop-common: The patch generated 1 new + 135 unchanged - 0 fixed = 136 total (was 135) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 2s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 13s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 47s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 44s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 8s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 21s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 44m 13s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:9560f25 | | JIRA Issue | HADOOP-13707 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12832867/HADOOP-13707.003.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 867e043ecce8 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 6476934 | | Default Java | 1.8.0_101 | | findbugs | v3.0.0 | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/10742/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-common.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/10742/testReport/ | | modules | C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/10742/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type:
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15568498#comment-15568498 ] Wei-Chiu Chuang commented on HADOOP-13707: -- [~yuanbo] thanks for working in a patch, however I am not sure if this the right approach. Like what Allen said, logs are not supposed to be seen by non-admin if the cluster is Kerberized. I feel like a correct approach is to add a SPENGO filter for /logs so that it is accessible for Kerberos users just like /jmx and /logLevel. Does that make sense? > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch, > HADOOP-13707.003.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15568391#comment-15568391 ] Yuanbo Liu commented on HADOOP-13707: - After discussing with [~cheersyang], I realize that sometimes users may just want to pass user name to NameNode without authentication, but want to keep admin authorization check. So I restrict conditions of non-security environment in my v003 patch. Only static user without authentication will be considered as non-security environment. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15567959#comment-15567959 ] Hadoop QA commented on HADOOP-13707: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 8m 14s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 16s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 28s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 5s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 13s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 27s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 45s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 42s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 2s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 37s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 32s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 23s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 43m 45s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:9560f25 | | JIRA Issue | HADOOP-13707 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12832835/HADOOP-13707.002.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 58db3f1c961e 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 6476934 | | Default Java | 1.8.0_101 | | findbugs | v3.0.0 | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/10739/testReport/ | | modules | C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/10739/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses >
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15567903#comment-15567903 ] Yuanbo Liu commented on HADOOP-13707: - If HTTP SPNEGO is not enabled, user can not be authenticated, and "dr.who" is used as a default user. {{HttpServer2#hasAdministratorAccess}} is a authorization method to verify whether user has admin access. Since user(dr.who) is not authenticated, http sever is in non-security environment, there is no need to call {{hasAdministratorAccess}} to do authorization check. {{HttpServletRequest#getAuthType}} returns null in non-security environment (without AuthenticationFilter), so we can take advantage of it and use it to determine whether {{hasAdministratorAccess}} should be called. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu >Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15567776#comment-15567776 ] Yuanbo Liu commented on HADOOP-13707: - I've changed my description a bit, because it seems not logic to change code in {{HttpServer2#hasAdministratorAccess}}, we should stop servlet invokes it if authType is null. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15565730#comment-15565730 ] Yuanbo Liu commented on HADOOP-13707: - [~aw] Thanks for your response. Non-admin users shouldn't be looking at it in security environment. But if HTTP SPNEGO is not enabled, that is to say, in non-security environment for http sever, users cannot be authenticated and passed to NameNode, and "/logs" should be accessed by all users. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should use {{hadoop.http.authentication.type}} instead of > {{hadoop.security.authorization}} to detect whether HTTP authentication is > enabled, if the value of {{hadoop.http.authentication.type}} equals > `simple`, anybody has administrator access. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15565604#comment-15565604 ] Allen Wittenauer commented on HADOOP-13707: --- /logs was specifically blocked way back when due to the sensitive nature of the content. Non-admin users shouldn't be looking at it at all and admin users have access from the shell. > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > - > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug >Reporter: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should use {{hadoop.http.authentication.type}} instead of > {{hadoop.security.authorization}} to detect whether HTTP authentication is > enabled, if the value of {{hadoop.http.authentication.type}} equals > `simple`, anybody has administrator access. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org