[HADOOP-14786] HTTP default servlets do not require authentication when kerberos is enabled - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: In Progress
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.8.0
Fix Version/s: None
Component/s: security
Labels:
None

Target Version/s:

3.5.0

Description

The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not require authentication when Kerberos is enabled.

HttpServer2#addDefaultServlets

  // set up default servlets
  addServlet("stacks", "/stacks", StackServlet.class);
  addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
  addServlet("jmx", "/jmx", JMXJsonServlet.class);
  addServlet("conf", "/conf", ConfServlet.class);

HttpServer2#addServlet

public void addServlet(String name, String pathSpec,
                       Class<? extends HttpServlet> clazz) {
  addInternalServlet(name, pathSpec, clazz, false);
  addFilterPathMapping(pathSpec, webAppContext);

Httpserver2#addInternalServlet

addInternalServlet(…, bool requireAuth)
…
if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
  LOG.info("Adding Kerberos (SPNEGO) filter to " + name);

requireAuth is false for the default servlets inside addInternalServlet.

The issue can be verified by running the following curl command against NameNode web address when Kerberos is enabled:

kdestroy
curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'

Expect curl to fail, but it returns JMX anyway.

Attachments

Activity

People

Assignee:: John Zhuge

Reporter:: John Zhuge

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 18/Aug/17 02:02

Updated:: 04/Jan/24 12:14