[jira] [Updated] (HDFS-5217) Namenode log directory link is inaccessible in secure cluster

Wed, 25 Sep 2013 16:11:18 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-5217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jing Zhao updated HDFS-5217:
----------------------------

    Attachment: HDFS-5217.001.patch

Update the patch. 

I followed the instruction in the HttpAuthentication link and enabled Spnego 
authentication in the http server. The old patch did not break the Spnego, but 
with Spnego enabled the log directory link is inaccessible again.

Since the cause of the issue is that the getRemoteUser call on the http request 
returns null, and the AuthenticationFilter wraps the http request with the 
short name retrieved from the token, we do not need to add the security handler 
(and the user realm) when AuthenticationFilter is specified. So in the new 
patch I simply check if AuthenticationFilter has been specified in the 
configuration.

I have locally tested the patch with/without specifying Spnego. And with the 
patch the log directory link can be visited.
                
> Namenode log directory link is inaccessible in secure cluster
> -------------------------------------------------------------
>
>                 Key: HDFS-5217
>                 URL: https://issues.apache.org/jira/browse/HDFS-5217
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Jing Zhao
>            Assignee: Jing Zhao
>         Attachments: HDFS-5217.000.patch, HDFS-5217.001.patch
>
>
> Currently in a secured HDFS cluster, 401 error is returned when clicking the 
> "NameNode Logs" link.
> Looks like the cause of the issue is that the httpServer does not correctly 
> set the security handler and the user realm currently, which causes the 
> httpRequest.getRemoteUser (for the log URL) to return null and later be 
> overwritten to the default web name (e.g., "dr.who") by the filter. In the 
> meanwhile, in a secured cluster the log URL requires the http user to be an 
> administrator. That's why we see the 401 error.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to