Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-20472

InfoServer doesnot honour any acl set by the admin



    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: 3.0.0-alpha-1
    • Component/s: security, UI
    • Labels:


      The adminsAcl property can be used to restrict access to certain sections of the web UI only to a particular set of users/groups. But in hbase,  adminAcl variable for InfoServer is always null, rendering it to not honour any acl set by the admin. In fact I could not find any property in hbase to specify acl list for web server.


      • InfoSever object forgets to set any adminAcl in the builder object for http server.
      public InfoServer(String name, String bindAddress, int port, boolean findPort,
      final Configuration c) {
          HttpServer.Builder builder =
      new org.apache.hadoop.hbase.http.HttpServer.Builder();
          this.httpServer = builder.build();

      See InfoServer constructor

      • http server retreives a null value and sets it as adminsAcl, which is passed to createWebAppContext() method
      private HttpServer(final Builder b) throws IOException {
          this.adminsAcl = b.adminsAcl;
          this.webAppContext = createWebAppContext(b.name, b.conf, adminsAcl, appDir);

      See L527 HttpServer.java

      • This method next sets ADMIN_ACL attribute for the servlet context to null
      private static WebAppContext createWebAppContext(String name,
      Configuration conf, AccessControlList adminsAcl, final String appDir) {
          WebAppContext ctx = new WebAppContext();
          ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
      • Now any page having HttpServer.hasAdministratorAccess() will allow access to everyone, making this check useless. 
      public void doGet(HttpServletRequest request, HttpServletResponse response
      ) throws ServletException, IOException {
          // Do the authorization
          if (!HttpServer.hasAdministratorAccess(getServletContext(), request,
          response)) {

      For example See L104 LogLevel.java

      • hasAdministratorAccess() checks for the following and returns true, in any case as ADMIN_ACL is always null
      public static boolean hasAdministratorAccess(
      ServletContext servletContext, HttpServletRequest request,
      HttpServletResponse response) throws IOException {
          if (servletContext.getAttribute(ADMINS_ACL) != null &&
              !userHasAdministratorAccess(servletContext, remoteUser)) {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
               + remoteUser + " is unauthorized to access this page.");
             return false;
          return true;

      See line 1196 in HttpServer



          Issue Links



              • Assignee:
                nihaljain.cs Nihal Jain
                nihaljain.cs Nihal Jain
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: