You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Philip Zeyliger (JIRA)" <ji...@apache.org> on 2012/05/01 23:03:03 UTC
[jira] [Created] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Philip Zeyliger created HADOOP-8343:
---------------------------------------
Summary: Allow configuration of authorization for JmxJsonServlet and MetricsServlet
Key: HADOOP-8343
URL: https://issues.apache.org/jira/browse/HADOOP-8343
Project: Hadoop Common
Issue Type: New Feature
Components: util
Affects Versions: 2.0.0
Reporter: Philip Zeyliger
When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13266314#comment-13266314 ]
Alejandro Abdelnur commented on HADOOP-8343:
--------------------------------------------
the javadoc warnings seem unrelated to this patch
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Attachment: HADOOP-8343.patch
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Attachment: (was: HADOOP-8343.patch)
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Attachment: HADOOP-8343.patch
attached is a patch that adds a "hadoop.security.anonymous.instrumentation.access" configuration property which is TRUE by default and if set to TRUE enables anonymous access (without ACLs enforcement).
This works because (as it seems intended) in HttpServer, the JMX, METRICS & CONF servlets are added without requiring authentication.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268005#comment-13268005 ]
Aaron T. Myers commented on HADOOP-8343:
----------------------------------------
+1 pending Jenkins. One tiny nit:
{noformat}
+ * If <code>hadoop.security.instrumentation.requires.admin</code> is set to FALSE
+ * (default value) it returns always returns TRUE.
{noformat}
One too many "returns" in the sentence above.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268095#comment-13268095 ]
Hudson commented on HADOOP-8343:
--------------------------------
Integrated in Hadoop-Common-trunk-Commit #2186 (See [https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2186/])
HADOOP-8343. Allow configuration of authorization for JmxJsonServlet and MetricsServlet (tucu) (Revision 1333750)
Result = SUCCESS
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1333750
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/HttpServerFunctionalTest.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Fix For: 2.0.0
>
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13267901#comment-13267901 ]
Aaron T. Myers commented on HADOOP-8343:
----------------------------------------
Patch looks pretty good to me. Just a few small comments. +1 once these are addressed:
# I think we should take /logLevel out of the set of servlets which this new config allows anon access to. Since its writable, it seems like requiring admin access in all cases is reasonable.
# Recommend renaming "hadoop.security.authorization.for.instrumentation" to "hadoop.security.instrumentation.requires.admin".
# Recommend renaming "checkInstrumentationAccess" to "isInstrumentationAccessAllowed".
# The method comment of checkInstrumentationAccess is a little misleading. Instead of "Returns if anonymous authentication access to instrumentation servlets is allowed or not" it should be something like "Return true if admin privileges are not required to access instrumentation, or this user is authenticated and an administrator. Return false otherwise."
# The method checkInstrumentationAccess can be simplified a little, e.g. "return !adminAccessRequired || hasAdministratorAccess(...)"
# The entry for this new config in core-default.xml only lists /jmx, /metrics, and /conf. /stacks should also be added (and /logLevel if you object to comment #1 above.)
# There's a few spots in the patch where you use 4-space indentation instead of Hadoop's standard 2.
# The test should probably also include the case where admin access is required and the user _is_ listed as an admin.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13266970#comment-13266970 ]
Alejandro Abdelnur commented on HADOOP-8343:
--------------------------------------------
javadoc warnings seem unrelated
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268124#comment-13268124 ]
Hudson commented on HADOOP-8343:
--------------------------------
Integrated in Hadoop-Mapreduce-trunk-Commit #2204 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2204/])
HADOOP-8343. Allow configuration of authorization for JmxJsonServlet and MetricsServlet (tucu) (Revision 1333750)
Result = ABORTED
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1333750
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/HttpServerFunctionalTest.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Fix For: 2.0.0
>
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268327#comment-13268327 ]
Hudson commented on HADOOP-8343:
--------------------------------
Integrated in Hadoop-Hdfs-trunk #1034 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1034/])
HADOOP-8343. Allow configuration of authorization for JmxJsonServlet and MetricsServlet (tucu) (Revision 1333750)
Result = FAILURE
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1333750
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/HttpServerFunctionalTest.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Fix For: 2.0.0
>
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Status: Patch Available (was: Open)
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13266425#comment-13266425 ]
Aaron T. Myers commented on HADOOP-8343:
----------------------------------------
+1, the patch looks good to me.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13266803#comment-13266803 ]
Alejandro Abdelnur commented on HADOOP-8343:
--------------------------------------------
the scope of this auth requirement should be extended to the stacks/ and logLevel/ servlets
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Resolution: Fixed
Fix Version/s: 2.0.0
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
committed to trunk and branch-2
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Fix For: 2.0.0
>
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13266289#comment-13266289 ]
Hadoop QA commented on HADOOP-8343:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12525245/HADOOP-8343.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 3 new or modified test files.
-1 javadoc. The javadoc tool appears to have generated 2 warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 eclipse:eclipse. The patch built with eclipse:eclipse.
+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.
+1 contrib tests. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/918//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/918//console
This message is automatically generated.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur reassigned HADOOP-8343:
------------------------------------------
Assignee: Alejandro Abdelnur
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268382#comment-13268382 ]
Hudson commented on HADOOP-8343:
--------------------------------
Integrated in Hadoop-Mapreduce-trunk #1069 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1069/])
HADOOP-8343. Allow configuration of authorization for JmxJsonServlet and MetricsServlet (tucu) (Revision 1333750)
Result = SUCCESS
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1333750
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/HttpServerFunctionalTest.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Fix For: 2.0.0
>
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13266942#comment-13266942 ]
Hadoop QA commented on HADOOP-8343:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12525350/HADOOP-8343.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 2 new or modified test files.
-1 javadoc. The javadoc tool appears to have generated 2 warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 eclipse:eclipse. The patch built with eclipse:eclipse.
+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.
+1 contrib tests. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/922//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/922//console
This message is automatically generated.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268097#comment-13268097 ]
Hudson commented on HADOOP-8343:
--------------------------------
Integrated in Hadoop-Hdfs-trunk-Commit #2260 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2260/])
HADOOP-8343. Allow configuration of authorization for JmxJsonServlet and MetricsServlet (tucu) (Revision 1333750)
Result = SUCCESS
tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1333750
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics/MetricsServlet.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/HttpServerFunctionalTest.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Fix For: 2.0.0
>
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Attachment: HADOOP-8343.patch
@atm, thx. integrated all your comments except #5 as boolean expression of a NEG and an OR is more difficult to follow than a the current linear code (the compiler/jvm will take care of optimizing this anyway).
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Status: Patch Available (was: Open)
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268077#comment-13268077 ]
Alejandro Abdelnur commented on HADOOP-8343:
--------------------------------------------
javadocs warning and testcase failure seem unrelated.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8343) Allow configuration of
authorization for JmxJsonServlet and MetricsServlet
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268024#comment-13268024 ]
Hadoop QA commented on HADOOP-8343:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12525545/HADOOP-8343.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 2 new or modified test files.
-1 javadoc. The javadoc tool appears to have generated 2 warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 eclipse:eclipse. The patch built with eclipse:eclipse.
+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
-1 core tests. The patch failed these unit tests in hadoop-common-project/hadoop-common:
org.apache.hadoop.fs.viewfs.TestViewFsTrash
+1 contrib tests. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/936//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/936//console
This message is automatically generated.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Status: Open (was: Patch Available)
After some investigation on how the HttpServer binds the JMX and METRICS servlets (hardcoded not to add the SPNEGO filter) it seems to me that the correct approach would be:
* have a 'hadoop.security.require.authentication.for.instrumentation' config property set to FALSE by default.
* HttpServer addition of JMX, METRICS and CONF servlets should register the servlets to require authentication or not based on the above property.
* remove the hasAdminAccess check for the JMX, METRICS and CONF servlets.
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8343) Allow configuration of authorization
for JmxJsonServlet and MetricsServlet
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur updated HADOOP-8343:
---------------------------------------
Attachment: HADOOP-8343.patch
After further digging I think figured out how things are supposed to work:
# the instrumentation servlets (stacks/, logLevel/, conf/, metrics/, jmx/) are not to be authentication protected by the built-in SPNEGO filter.
# the instrumentation servlets are authentication protected if an custom filter (via FilterInitializer) is added.
# the instrumentation servlets had a check hasAdminAccess() that guards it access restricting access to admin users if security/authorization is ON. This check was incorrect and was fixed by HADOOP-8314
HADOOP-8314 fix had a side effect of disabling access to instrumentation if the user is not in an ACL.
While that may be desirable in certain deployments, it is quite common (and reasonable) to have instrumentation access without requiring authentication or authorization.
The attached patch then introduces (as the original approach suggested) a property *hadoop.security.authorization.for.instrumentation* to enforce or not authorization on the instrumentation servlets. The patch does not do any changes related to authentication requirements (which can still be done adding a filter via a filter initializer). The patch modifies the 5 instrumentation servlets to use the new logic (encapsulated in the *checkInstrumentationAccess()* method)
> Allow configuration of authorization for JmxJsonServlet and MetricsServlet
> --------------------------------------------------------------------------
>
> Key: HADOOP-8343
> URL: https://issues.apache.org/jira/browse/HADOOP-8343
> Project: Hadoop Common
> Issue Type: New Feature
> Components: util
> Affects Versions: 2.0.0
> Reporter: Philip Zeyliger
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-8343.patch, HADOOP-8343.patch
>
>
> When using authorization for the daemons' web server, it would be useful to specifically control the authorization requirements for accessing /jmx and /metrics. Currently, they require administrative access. This JIRA would propose that whether or not they are available to administrators only or to all users be controlled by "hadoop.instrumentation.requires.administrator" (or similar). The default would be that administrator access is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira