You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by GitBox <gi...@apache.org> on 2020/01/24 21:22:03 UTC

[GitHub] [hbase] risdenk commented on a change in pull request #936: HBASE-17115 Define UI admins via an ACL

risdenk commented on a change in pull request #936: HBASE-17115 Define UI admins via an ACL
URL: https://github.com/apache/hbase/pull/936#discussion_r370847847
 
 

 ##########
 File path: hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
 ##########
 @@ -712,23 +723,24 @@ private void setContextAttributes(ServletContextHandler context, Configuration c
    * Add default servlets.
    */
   protected void addDefaultServlets(ContextHandlerCollection contexts) throws IOException {
+
     // set up default servlets
-    addServlet("stacks", "/stacks", StackServlet.class);
-    addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
+    addPrivilegedServlet("stacks", "/stacks", StackServlet.class);
+    addPrivilegedServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
     // Hadoop3 has moved completely to metrics2, and  dropped support for Metrics v1's
     // MetricsServlet (see HADOOP-12504).  We'll using reflection to load if against hadoop2.
     // Remove when we drop support for hbase on hadoop2.x.
     try {
-      Class clz = Class.forName("org.apache.hadoop.metrics.MetricsServlet");
-      addServlet("metrics", "/metrics", clz);
+      Class<?> clz = Class.forName("org.apache.hadoop.metrics.MetricsServlet");
+      addPrivilegedServlet("metrics", "/metrics", clz.asSubclass(HttpServlet.class));
     } catch (Exception e) {
       // do nothing
     }
-    addServlet("jmx", "/jmx", JMXJsonServlet.class);
-    addServlet("conf", "/conf", ConfServlet.class);
+    addPrivilegedServlet("jmx", "/jmx", JMXJsonServlet.class);
+    addUnprivilegedServlet("conf", "/conf", ConfServlet.class);
 
 Review comment:
   So `/conf` can also have secrets potentially? Assuming this picks up all the core-site, hdfs-site confs as well. it could technically have things not secured via hadoop credential stores.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services