You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Brahma Reddy Battula (Jira)" <ji...@apache.org> on 2020/04/10 18:15:09 UTC
[jira] [Updated] (HADOOP-14786) HTTP default servlets do not
require authentication when kerberos is enabled
[ https://issues.apache.org/jira/browse/HADOOP-14786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brahma Reddy Battula updated HADOOP-14786:
------------------------------------------
Target Version/s: 3.4.0 (was: 3.3.0)
Bulk update: moved all 3.3.0 non-blocker issues, please move back if it is a blocker.
> HTTP default servlets do not require authentication when kerberos is enabled
> ----------------------------------------------------------------------------
>
> Key: HADOOP-14786
> URL: https://issues.apache.org/jira/browse/HADOOP-14786
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: John Zhuge
> Assignee: John Zhuge
> Priority: Major
>
> The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not require authentication when Kerberos is enabled.
> {code:java|title=HttpServer2#addDefaultServlets}
> // set up default servlets
> addServlet("stacks", "/stacks", StackServlet.class);
> addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
> addServlet("jmx", "/jmx", JMXJsonServlet.class);
> addServlet("conf", "/conf", ConfServlet.class);
> {code}
> {code:java|title=HttpServer2#addServlet}
> public void addServlet(String name, String pathSpec,
> Class<? extends HttpServlet> clazz) {
> addInternalServlet(name, pathSpec, clazz, false);
> addFilterPathMapping(pathSpec, webAppContext);
> {code}
> {code:java|title=Httpserver2#addInternalServlet}
> addInternalServlet(…, bool requireAuth)
> …
> if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
> LOG.info("Adding Kerberos (SPNEGO) filter to " + name);
> {code}
> {{requireAuth}} is {{false}} for the default servlets inside {{addInternalServlet}}.
> The issue can be verified by running the following curl command against NameNode web address when Kerberos is enabled:
> {noformat}
> kdestroy
> curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'
> {noformat}
> Expect curl to fail, but it returns JMX anyway.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org