Description
The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not require authentication when Kerberos is enabled.
HttpServer2#addDefaultServlets
// set up default servlets addServlet("stacks", "/stacks", StackServlet.class); addServlet("logLevel", "/logLevel", LogLevel.Servlet.class); addServlet("jmx", "/jmx", JMXJsonServlet.class); addServlet("conf", "/conf", ConfServlet.class);
HttpServer2#addServlet
public void addServlet(String name, String pathSpec, Class<? extends HttpServlet> clazz) { addInternalServlet(name, pathSpec, clazz, false); addFilterPathMapping(pathSpec, webAppContext);
Httpserver2#addInternalServlet
addInternalServlet(…, bool requireAuth) … if(requireAuth && UserGroupInformation.isSecurityEnabled()) { LOG.info("Adding Kerberos (SPNEGO) filter to " + name);
requireAuth is false for the default servlets inside addInternalServlet.
The issue can be verified by running the following curl command against NameNode web address when Kerberos is enabled:
kdestroy curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'
Expect curl to fail, but it returns JMX anyway.