You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2016/10/11 14:42:20 UTC

[jira] [Comment Edited] (HADOOP-13707) If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed

    [ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15565604#comment-15565604 ] 

Allen Wittenauer edited comment on HADOOP-13707 at 10/11/16 2:41 PM:
---------------------------------------------------------------------

/logs was specifically blocked way back when due to the sensitive nature of the content. Non-admin users shouldn't be looking at it at all and admin users have access from the shell.

It's probably also worth pointing out that these logs are typically huge and viewing them in a browser is a pretty terrible experience.


was (Author: aw):
/logs was specifically blocked way back when due to the sensitive nature of the content. Non-admin users shouldn't be looking at it at all and admin users have access from the shell.

> If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13707
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13707
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Yuanbo Liu
>              Labels: security
>         Attachments: HADOOP-13707.001.patch
>
>
> In {{HttpServer2#hasAdministratorAccess}}, it uses `hadoop.security.authorization` to detect whether HTTP is authenticated.
> It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, such as "/logs", and it will return error message as below:
> {quote}
> HTTP ERROR 403
> Problem accessing /logs/. Reason:
> User dr.who is unauthorized to access this page.
> {quote}
> We should use {{hadoop.http.authentication.type}} instead of {{hadoop.security.authorization}} to detect whether HTTP authentication is enabled, if the value of  {{hadoop.http.authentication.type}}  equals `simple`, anybody has administrator access.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org