[ https://issues.apache.org/jira/browse/HADOOP-13707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15568753#comment-15568753 ]
Yuanbo Liu commented on HADOOP-13707: ------------------------------------- [~jojochuang] Thanks for your comments. {quote} I feel like a correct approach is to add a SPENGO filter... {quote} Yes you're right, actually I'm ready to add a SPENGO filter with delegation feature in HADOOP-13119. But as I said, enabling Kerberos and SPENGO are two steps. If users enable Kerberos without SPENGO, that means the http sever of the cluster is in non-security environment. In this situation, static user's authorization shouldn't be checked. In the very first installation of Hadoop, http sever is also in non-security environment without any authorization check. So I think the behavior here should be consistent and "dr.who" issue should be avoid. Thanks again for your comments, looking forward to your response. :) > If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot > be accessed > ----------------------------------------------------------------------------------------- > > Key: HADOOP-13707 > URL: https://issues.apache.org/jira/browse/HADOOP-13707 > Project: Hadoop Common > Issue Type: Bug > Reporter: Yuanbo Liu > Assignee: Yuanbo Liu > Labels: security > Attachments: HADOOP-13707.001.patch, HADOOP-13707.002.patch, > HADOOP-13707.003.patch > > > In {{HttpServer2#hasAdministratorAccess}}, it uses > `hadoop.security.authorization` to detect whether HTTP is authenticated. > It's not correct, because enabling Kerberos and HTTP SPNEGO are two steps. If > Kerberos is enabled while HTTP SPNEGO is not, some links cannot be accessed, > such as "/logs", and it will return error message as below: > {quote} > HTTP ERROR 403 > Problem accessing /logs/. Reason: > User dr.who is unauthorized to access this page. > {quote} > We should make sure {{HttpServletRequest#getAuthType}} is not null before we > invoke {{HttpServer2#hasAdministratorAccess}}. > {{getAuthType}} means to get the authorization scheme of this request -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org