Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13119

Add ability to secure log servlet using proxy users

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.8.0, 2.7.4
    • 2.9.0, 2.7.4, 3.0.0-alpha4, 2.8.2
    • None
    • Incompatible change

    Description

      User Hadoop on secure mode.
      login as kdc user, kinit.
      start firefox and enable Kerberos
      access http://localhost:50070/logs/
      Get 403 authorization errors.
      only hdfs user could access logs.
      Would expect as a user to be able to web interface logs link.
      Same results if using curl:
      curl -v --negotiate -u tester: http://localhost:50070/logs/
      HTTP/1.1 403 User tester is unauthorized to access this page.
      so:
      1. either don't show links if hdfs user is able to access.
      2. provide mechanism to add users to web application realm.
      3. note that we are pass authentication so the issue is authorization to /logs/

      suspect that /logs/ path is secure in webdescriptor so suspect users by default don't have access to secure paths.

      Attachments

        1. HADOOP-13119.001.patch
          24 kB
          Yuanbo Liu
        2. HADOOP-13119.002.patch
          22 kB
          Yuanbo Liu
        3. HADOOP-13119.003.patch
          19 kB
          Yuanbo Liu
        4. HADOOP-13119.004.patch
          20 kB
          Yuanbo Liu
        5. HADOOP-13119.005.patch
          21 kB
          Yuanbo Liu
        6. HADOOP-13119.005.patch
          21 kB
          Yuanbo Liu
        7. screenshot-1.png
          43 kB
          Yuanbo Liu

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-14728 Configuring AuthenticationFilterInitializer throws IllegalArgumentException: Null user

          • Major - Major loss of function.
          • Open
          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-13718 There is no filterInitializer for initializing DelegationTokenAuthenticationFilter in Hadoop common

          • Major - Major loss of function.
          • Resolved
          is related to

          Sub-task - The sub-task of the issue HADOOP-16287 KerberosAuthenticationHandler Trusted Proxy Support for Knox

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-14077 Improve the patch of HADOOP-13119

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-14060 HTTP servlet /logs should require authentication and authorization

          • Critical - Crashes, loss of data, severe memory leak.
          • Reopened

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-13707 If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              yuanbo Yuanbo Liu
              jeffreyr97 Jeffrey E Rodriguez
              Votes:
              0 Vote for this issue
              Watchers:
              22 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: