[MAPREDUCE-6845] Job history server requires admin permission when accessing container log in secure environment, which is not correct - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Not A Problem
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Description

A typical url of container log in job history server is like this:

http://{job history server address}:19888/jobhistory/logs/{node manager address}:{port}/{container id}/{entity id}/{app owner}

When accessing it in secure environment, it requires authorization.
Because the parent path /logs has AdminAuthorizedServlet defined in HttpServer2.java, the container log url will execute AdminAuthorizedServlet in the servlet chain and requires admin permission, which is wrong.
The container log url has it own authorization mechanism, besides, If the user is the owner of the container but it doesn't belong to admins, then the user will not be allowed to access the container log url, and it is not reasonable.

There are two ways to fix this defect:

change the parent path of container log url, for example, use "/clogs" instead of "/logs"
stop executing AdminAuthorizedServlet when accessing the child path of "/logs" in job history server.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Yuanbo Liu

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Feb/17 06:34

Updated:: 09/Feb/17 03:20

Resolved:: 09/Feb/17 03:20