[HADOOP-13707] If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0, 3.0.0-alpha2
Component/s: None
Labels:
- security

Target Version/s:

2.8.0, 2.9.0, 3.0.0-alpha2, 2.7.5

Description

In HttpServer2#hasAdministratorAccess, it uses `hadoop.security.authorization` to detect whether HTTP is authenticated.
It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, such as "/logs", and it will return error message as below:

HTTP ERROR 403
Problem accessing /logs/. Reason:
User dr.who is unauthorized to access this page.

We should make sure HttpServletRequest#getAuthType is not null before we invoke HttpServer2#hasAdministratorAccess.

getAuthType means to get the authorization scheme of this request

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-13707.001.patch
11/Oct/16 10:09
2 kB
Yuanbo Liu
HADOOP-13707.002.patch
12/Oct/16 07:07
7 kB
Yuanbo Liu
HADOOP-13707.003.patch
12/Oct/16 11:03
11 kB
Yuanbo Liu
HADOOP-13707.004.patch
13/Oct/16 01:01
11 kB
Yuanbo Liu
HADOOP-13707-branch-2.8.patch
15/Oct/16 13:59
11 kB
Yuanbo Liu
HADOOP-13707-branch-2.patch
15/Oct/16 13:58
12 kB
Yuanbo Liu
HADOOP-13707-branch-2-addendum.patch
15/Oct/16 11:18
0.8 kB
Brahma Reddy Battula

Issue Links

breaks

HADOOP-14024 KMS JMX endpoint throws ClassNotFoundException

Resolved

is related to

HADOOP-13119 Add ability to secure log servlet using proxy users

Resolved

Activity

People

Assignee:: Yuanbo Liu

Reporter:: Yuanbo Liu

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 11/Oct/16 10:05

Updated:: 02/Oct/19 17:12

Resolved:: 16/Oct/16 04:29