John Zhuge created HADOOP-14786:
-----------------------------------
Summary: HTTP default servlets do not require authentication when
kerberos is enabled
Key: HADOOP-14786
URL: https://issues.apache.org/jira/browse/HADOOP-14786
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.8.0
Reporter: John Zhuge
Assignee: John Zhuge
The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not
require authentication when Kerberos is enabled.
{code:java|title=HttpServer2#addDefaultServlets}
// set up default servlets
addServlet("stacks", "/stacks", StackServlet.class);
addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
addServlet("jmx", "/jmx", JMXJsonServlet.class);
addServlet("conf", "/conf", ConfServlet.class);
{code}
{code:java|title=HttpServer2#addServlet}
public void addServlet(String name, String pathSpec,
Class<? extends HttpServlet> clazz) {
addInternalServlet(name, pathSpec, clazz, false);
addFilterPathMapping(pathSpec, webAppContext);
{code}
{code:java|title=Httpserver2#addInternalServlet}
addInternalServlet(…, bool requireAuth)
…
if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
LOG.info("Adding Kerberos (SPNEGO) filter to " + name);
{code}
{{requireAuth}} is {{false}} for the default servlets inside
{{addInternalServlet}}.
The issue can be verified by running the following curl command against
NameNode web address when Kerberos is enabled:
{noformat}
kdestroy
curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'
{noformat}
Expect curl to fail, but it returns JMX anyway.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
