Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13707

If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha2
    • Component/s: None
    • Labels:

      Description

      In HttpServer2#hasAdministratorAccess, it uses `hadoop.security.authorization` to detect whether HTTP is authenticated.
      It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, such as "/logs", and it will return error message as below:

      HTTP ERROR 403
      Problem accessing /logs/. Reason:
      User dr.who is unauthorized to access this page.

      We should make sure HttpServletRequest#getAuthType is not null before we invoke HttpServer2#hasAdministratorAccess.

      getAuthType means to get the authorization scheme of this request

        Attachments

        1. HADOOP-13707.001.patch
          2 kB
          Yuanbo Liu
        2. HADOOP-13707.002.patch
          7 kB
          Yuanbo Liu
        3. HADOOP-13707.003.patch
          11 kB
          Yuanbo Liu
        4. HADOOP-13707.004.patch
          11 kB
          Yuanbo Liu
        5. HADOOP-13707-branch-2.8.patch
          11 kB
          Yuanbo Liu
        6. HADOOP-13707-branch-2.patch
          12 kB
          Yuanbo Liu
        7. HADOOP-13707-branch-2-addendum.patch
          0.8 kB
          Brahma Reddy Battula

          Issue Links

            Activity

              People

              • Assignee:
                yuanbo Yuanbo Liu
                Reporter:
                yuanbo Yuanbo Liu
              • Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: