You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2017/02/10 15:05:42 UTC
[jira] [Resolved] (HADOOP-13119) Web UI error accessing links which
need authorization when Kerberos
[ https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Allen Wittenauer resolved HADOOP-13119.
---------------------------------------
Resolution: Fixed
Fix Version/s: 3.0.0-alpha2
Re-resolving this as this was committed to 3.0.0-alpha2 as well, despite it missing from the fix field. Since it's already been committed and released, we can't revert it or re-open this JIRA.
You'll need to open a new JIRA with a code fix.
> Web UI error accessing links which need authorization when Kerberos
> -------------------------------------------------------------------
>
> Key: HADOOP-13119
> URL: https://issues.apache.org/jira/browse/HADOOP-13119
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.8.0, 2.7.4
> Reporter: Jeffrey E Rodriguez
> Assignee: Yuanbo Liu
> Labels: security
> Fix For: 2.7.4, 2.8.1, 3.0.0-alpha2
>
> Attachments: HADOOP-13119.001.patch, HADOOP-13119.002.patch, HADOOP-13119.003.patch, HADOOP-13119.004.patch, HADOOP-13119.005.patch, HADOOP-13119.005.patch, screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v --negotiate -u tester: http://localhost:50070/logs/
> HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by default don't have access to secure paths.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org