Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-20472

InfoServer doesnot honour any acl set by the admin

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: 3.0.0
    • Component/s: security, UI
    • Labels:
      None

      Description

      The adminsAcl property can be used to restrict access to certain sections of the web UI only to a particular set of users/groups. But in hbase,  adminAcl variable for InfoServer is always null, rendering it to not honour any acl set by the admin. In fact I could not find any property in hbase to specify acl list for web server.

      Analysis:

      • InfoSever object forgets to set any adminAcl in the builder object for http server.
      public InfoServer(String name, String bindAddress, int port, boolean findPort,
      final Configuration c) {
          .
          .
         
          HttpServer.Builder builder =
      new org.apache.hadoop.hbase.http.HttpServer.Builder();
          .
          .
      
          this.httpServer = builder.build();
      }

      See InfoServer constructor

      • http server retreives a null value and sets it as adminsAcl, which is passed to createWebAppContext() method
      private HttpServer(final Builder b) throws IOException {
          .
          .
          .
      
          this.adminsAcl = b.adminsAcl;
          this.webAppContext = createWebAppContext(b.name, b.conf, adminsAcl, appDir);
          
          .
          .
      }

      See L527 HttpServer.java

      • This method next sets ADMIN_ACL attribute for the servlet context to null
      private static WebAppContext createWebAppContext(String name,
      Configuration conf, AccessControlList adminsAcl, final String appDir) {
          WebAppContext ctx = new WebAppContext();
          .
          .
      
          ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
      
          .
          .
      }
      
      • Now any page having HttpServer.hasAdministratorAccess() will allow access to everyone, making this check useless. 
      @Override
      public void doGet(HttpServletRequest request, HttpServletResponse response
      ) throws ServletException, IOException {
      
          // Do the authorization
          if (!HttpServer.hasAdministratorAccess(getServletContext(), request,
          response)) {
          return;
          }
      
      .
      .
      }

      For example See L104 LogLevel.java

      • hasAdministratorAccess() checks for the following and returns true, in any case as ADMIN_ACL is always null
      public static boolean hasAdministratorAccess(
      ServletContext servletContext, HttpServletRequest request,
      HttpServletResponse response) throws IOException {
          .    
          .
      
          if (servletContext.getAttribute(ADMINS_ACL) != null &&
              !userHasAdministratorAccess(servletContext, remoteUser)) {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
               + remoteUser + " is unauthorized to access this page.");
             return false;
          }
          return true;
      }

      See line 1196 in HttpServer

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nihaljain.cs Nihal Jain
                Reporter:
                nihaljain.cs Nihal Jain
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: