Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-14047

Require admin to access KMS instrumentation servlets

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.0-alpha4
    • Fix Version/s: 3.0.0-alpha4
    • Component/s: kms
    • Labels:
      None

      Description

      Discovered during HDFS-10860 review. To require admin to access KMS instrumentation servlets, HttpServer2#setACL must be called. Add configuration property hadoop.httpfs.http.administrators, similar to dfs.cluster.administrators.

      1. HADOOP-14047.003.patch
        8 kB
        John Zhuge
      2. HADOOP-14047.002.patch
        8 kB
        John Zhuge
      3. HADOOP-14047.001.patch
        8 kB
        John Zhuge

        Issue Links

          Activity

          Hide
          jzhuge John Zhuge added a comment -

          Patch 001

          • Add config property hadoop.kms.http.administrators to control access to instrumentation servlets

          TESTING DONE

          • KMS Bats regression tests https://github.com/jzhuge/hadoop-regression-tests in insecure and ssl mode
          • Verify /jmx, /logLevel, /conf, and /stack as user dr.who and jzhuge with hadoop.kms.http.administrators set to “” (no access), “*” (all access), “${user.name}”
          Show
          jzhuge John Zhuge added a comment - Patch 001 Add config property hadoop.kms.http.administrators to control access to instrumentation servlets TESTING DONE KMS Bats regression tests https://github.com/jzhuge/hadoop-regression-tests in insecure and ssl mode Verify /jmx, /logLevel, /conf, and /stack as user dr.who and jzhuge with hadoop.kms.http.administrators set to “” (no access), “*” (all access), “${user.name}”
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 14s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 13m 13s trunk passed
          +1 compile 13m 9s trunk passed
          +1 checkstyle 0m 18s trunk passed
          +1 mvnsite 0m 50s trunk passed
          +1 mvneclipse 0m 17s trunk passed
          +1 findbugs 0m 26s trunk passed
          +1 javadoc 0m 18s trunk passed
          +1 mvninstall 0m 14s the patch passed
          +1 compile 11m 32s the patch passed
          +1 javac 11m 32s the patch passed
          -0 checkstyle 0m 16s hadoop-common-project/hadoop-kms: The patch generated 2 new + 4 unchanged - 0 fixed = 6 total (was 4)
          +1 mvnsite 0m 45s the patch passed
          +1 mvneclipse 0m 17s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 xml 0m 2s The patch has no ill-formed XML file.
          +1 findbugs 0m 35s the patch passed
          +1 javadoc 0m 16s the patch passed
          +1 unit 2m 18s hadoop-kms in the patch passed.
          +1 asflicense 0m 33s The patch does not generate ASF License warnings.
          47m 19s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-14047
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12850566/HADOOP-14047.001.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle xml
          uname Linux 1e2412902f5c 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 2a942ee
          Default Java 1.8.0_121
          findbugs v3.0.0
          checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/11556/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-kms.txt
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11556/testReport/
          modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11556/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 14s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 13m 13s trunk passed +1 compile 13m 9s trunk passed +1 checkstyle 0m 18s trunk passed +1 mvnsite 0m 50s trunk passed +1 mvneclipse 0m 17s trunk passed +1 findbugs 0m 26s trunk passed +1 javadoc 0m 18s trunk passed +1 mvninstall 0m 14s the patch passed +1 compile 11m 32s the patch passed +1 javac 11m 32s the patch passed -0 checkstyle 0m 16s hadoop-common-project/hadoop-kms: The patch generated 2 new + 4 unchanged - 0 fixed = 6 total (was 4) +1 mvnsite 0m 45s the patch passed +1 mvneclipse 0m 17s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 2s The patch has no ill-formed XML file. +1 findbugs 0m 35s the patch passed +1 javadoc 0m 16s the patch passed +1 unit 2m 18s hadoop-kms in the patch passed. +1 asflicense 0m 33s The patch does not generate ASF License warnings. 47m 19s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14047 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12850566/HADOOP-14047.001.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle xml uname Linux 1e2412902f5c 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 2a942ee Default Java 1.8.0_121 findbugs v3.0.0 checkstyle https://builds.apache.org/job/PreCommit-HADOOP-Build/11556/artifact/patchprocess/diff-checkstyle-hadoop-common-project_hadoop-kms.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11556/testReport/ modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11556/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          jzhuge John Zhuge added a comment -

          Patch 002

          • Fix checkstyle
          Show
          jzhuge John Zhuge added a comment - Patch 002 Fix checkstyle
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 13s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 12m 55s trunk passed
          +1 compile 13m 45s trunk passed
          +1 checkstyle 0m 17s trunk passed
          +1 mvnsite 0m 51s trunk passed
          +1 mvneclipse 0m 15s trunk passed
          +1 findbugs 0m 27s trunk passed
          +1 javadoc 0m 18s trunk passed
          +1 mvninstall 0m 16s the patch passed
          +1 compile 11m 53s the patch passed
          +1 javac 11m 53s the patch passed
          +1 checkstyle 0m 17s the patch passed
          +1 mvnsite 0m 45s the patch passed
          +1 mvneclipse 0m 19s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 xml 0m 1s The patch has no ill-formed XML file.
          +1 findbugs 0m 35s the patch passed
          +1 javadoc 0m 17s the patch passed
          +1 unit 2m 14s hadoop-kms in the patch passed.
          +1 asflicense 0m 31s The patch does not generate ASF License warnings.
          47m 52s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-14047
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12850584/HADOOP-14047.002.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle xml
          uname Linux acad8a4f7fcb 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 2a942ee
          Default Java 1.8.0_121
          findbugs v3.0.0
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11557/testReport/
          modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11557/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 13s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 12m 55s trunk passed +1 compile 13m 45s trunk passed +1 checkstyle 0m 17s trunk passed +1 mvnsite 0m 51s trunk passed +1 mvneclipse 0m 15s trunk passed +1 findbugs 0m 27s trunk passed +1 javadoc 0m 18s trunk passed +1 mvninstall 0m 16s the patch passed +1 compile 11m 53s the patch passed +1 javac 11m 53s the patch passed +1 checkstyle 0m 17s the patch passed +1 mvnsite 0m 45s the patch passed +1 mvneclipse 0m 19s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 1s The patch has no ill-formed XML file. +1 findbugs 0m 35s the patch passed +1 javadoc 0m 17s the patch passed +1 unit 2m 14s hadoop-kms in the patch passed. +1 asflicense 0m 31s The patch does not generate ASF License warnings. 47m 52s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14047 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12850584/HADOOP-14047.002.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle xml uname Linux acad8a4f7fcb 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 2a942ee Default Java 1.8.0_121 findbugs v3.0.0 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11557/testReport/ modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11557/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          xiaochen Xiao Chen added a comment -

          Thanks for the patch John Zhuge. LGTM, +1 pending figuring out about the /logs as discussed in HDFS-10860, and possibly updating the configs/docs here.

          Show
          xiaochen Xiao Chen added a comment - Thanks for the patch John Zhuge . LGTM, +1 pending figuring out about the /logs as discussed in HDFS-10860 , and possibly updating the configs/docs here.
          Hide
          jzhuge John Zhuge added a comment -

          Patch 003

          • Update index.md.vm to include /logs in access control even though it does not work right now

          Filed HADOOP-14060 KMS /logs servlet should have access control.

          TESTING DONE

          • KMS Bats regression tests https://github.com/jzhuge/hadoop-regression-tests in insecure, ssl, and ssl+kerberos mode
          • Verify /jmx, /logLevel, /conf, and /stack with hadoop.kms.http.administrators set to “$USER” and kerberos login set to "hdfs" or "$USER".
          Show
          jzhuge John Zhuge added a comment - Patch 003 Update index.md.vm to include /logs in access control even though it does not work right now Filed HADOOP-14060 KMS /logs servlet should have access control. TESTING DONE KMS Bats regression tests https://github.com/jzhuge/hadoop-regression-tests in insecure, ssl, and ssl+kerberos mode Verify /jmx, /logLevel, /conf, and /stack with hadoop.kms.http.administrators set to “$USER” and kerberos login set to "hdfs" or "$USER".
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 19s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 13m 25s trunk passed
          +1 compile 12m 19s trunk passed
          +1 checkstyle 0m 18s trunk passed
          +1 mvnsite 0m 51s trunk passed
          +1 mvneclipse 0m 18s trunk passed
          +1 findbugs 0m 29s trunk passed
          +1 javadoc 0m 18s trunk passed
          +1 mvninstall 0m 14s the patch passed
          +1 compile 11m 9s the patch passed
          +1 javac 11m 9s the patch passed
          +1 checkstyle 0m 17s the patch passed
          +1 mvnsite 0m 45s the patch passed
          +1 mvneclipse 0m 18s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 xml 0m 2s The patch has no ill-formed XML file.
          +1 findbugs 0m 35s the patch passed
          +1 javadoc 0m 17s the patch passed
          +1 unit 2m 14s hadoop-kms in the patch passed.
          +1 asflicense 0m 32s The patch does not generate ASF License warnings.
          46m 27s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-14047
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12851118/HADOOP-14047.003.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle xml
          uname Linux 679b6909d9c5 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 9cbbd1e
          Default Java 1.8.0_121
          findbugs v3.0.0
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11587/testReport/
          modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11587/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 19s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 13m 25s trunk passed +1 compile 12m 19s trunk passed +1 checkstyle 0m 18s trunk passed +1 mvnsite 0m 51s trunk passed +1 mvneclipse 0m 18s trunk passed +1 findbugs 0m 29s trunk passed +1 javadoc 0m 18s trunk passed +1 mvninstall 0m 14s the patch passed +1 compile 11m 9s the patch passed +1 javac 11m 9s the patch passed +1 checkstyle 0m 17s the patch passed +1 mvnsite 0m 45s the patch passed +1 mvneclipse 0m 18s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 2s The patch has no ill-formed XML file. +1 findbugs 0m 35s the patch passed +1 javadoc 0m 17s the patch passed +1 unit 2m 14s hadoop-kms in the patch passed. +1 asflicense 0m 32s The patch does not generate ASF License warnings. 46m 27s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14047 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12851118/HADOOP-14047.003.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle xml uname Linux 679b6909d9c5 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 9cbbd1e Default Java 1.8.0_121 findbugs v3.0.0 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11587/testReport/ modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11587/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          xiaochen Xiao Chen added a comment -

          Doc change so no test added. +1, committing this shortly.

          Show
          xiaochen Xiao Chen added a comment - Doc change so no test added. +1, committing this shortly.
          Hide
          xiaochen Xiao Chen added a comment -

          Committed to trunk, thanks for the prompt fix John!

          Show
          xiaochen Xiao Chen added a comment - Committed to trunk, thanks for the prompt fix John!
          Hide
          jzhuge John Zhuge added a comment -

          Thanks Xiao Chen for your help in the review and commit !

          Show
          jzhuge John Zhuge added a comment - Thanks Xiao Chen for your help in the review and commit !
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11215 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11215/)
          HADOOP-14047. Require admin to access KMS instrumentation servlets. (xiao: rev d88497d44a7c34ae4cf0295c89b3584d834057d5)

          • (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
          • (edit) hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
          • (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
          • (edit) hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml
          • (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11215 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11215/ ) HADOOP-14047 . Require admin to access KMS instrumentation servlets. (xiao: rev d88497d44a7c34ae4cf0295c89b3584d834057d5) (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java (edit) hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java (edit) hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java

            People

            • Assignee:
              jzhuge John Zhuge
              Reporter:
              jzhuge John Zhuge
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development