[
https://issues.apache.org/jira/browse/HDDS-15244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18086509#comment-18086509
]
Siyao Meng commented on HDDS-15244:
-----------------------------------
fwiw ozonesecure docker works fine as I just tested on current master branch
(w/o the patch):
{code:title=Prep}
# Build first
cd ./hadoop-ozone/dist/target/ozone-2.2.0-SNAPSHOT/compose/ozonesecure
docker compose up -d
docker compose exec s3g bash
{code}
{code:title=kinit}
bash-5.1$ klist -kt /etc/security/keytabs/om.keytab
Keytab name: FILE:/etc/security/keytabs/om.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/05/26 23:22:17 om/[email protected]
1 06/05/26 23:22:17 om/[email protected]
1 06/05/26 23:22:17 HTTP/[email protected]
1 06/05/26 23:22:17 HTTP/[email protected]
1 06/05/26 23:22:17 testuser/[email protected]
1 06/05/26 23:22:17 testuser/[email protected]
1 06/05/26 23:22:17 testuser2/[email protected]
1 06/05/26 23:22:17 testuser2/[email protected]
bash-5.1$ kinit -kt /etc/security/keytabs/om.keytab om/om
{code}
Without negotiate it fails with 401 as expected:
{code}
bash-5.1$ curl http://om:9874/logLevel
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Authentication required</title>
</head>
<body><h2>HTTP ERROR 401 Authentication required</h2>
<table>
<tr><th>URI:</th><td>/logLevel</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Authentication required</td></tr>
<tr><th>SERVLET:</th><td>logLevel</td></tr>
</table>
</body>
</html>
{code}
But with {{--negotiate -u :}} , curl works fine:
{code:title=curl works with negotiate}
bash-5.1$ curl --negotiate -u : http://om:9874/logLevel
<html>
<link rel='stylesheet' type='text/css' href='/static/hadoop.css'>
<title>Log Level</title>
<body>
<h1>Log Level</h1>
<br /><hr /><h3>Get / Set</h3>
<form>Class Name: <input type='text' size='50' name='log' /> <input
type='submit' value='Get Log Level' /></form>
<form>Class Name: <input type='text' size='50' name='log' /> Level: <input
type='text' name='level' /> <input type='submit' value='Set Log Level' /></form>
<hr />
<a href='http://hadoop.apache.org'>Hadoop</a>, 2026.
</body></html>
{code}
> LogLevel HTTP endpoint is inaccessible in secure clusters
> ---------------------------------------------------------
>
> Key: HDDS-15244
> URL: https://issues.apache.org/jira/browse/HDDS-15244
> Project: Apache Ozone
> Issue Type: Bug
> Components: Security
> Reporter: Wei-Chiu Chuang
> Assignee: Andrey Yarovoy
> Priority: Major
> Labels: pull-request-available
>
> The /logLevel HTTP endpoint, which allows users to view and modify log levels
> at runtime, has a bug that makes it operationaly
> broken in secure environments.
> Technical Root Cause:
> 1. Missing Authentication: In HttpServer2.java, the logLevel servlet is
> registered via addDefaultServlets() using addServlet. This internal call sets
> requireAuth = false. Consequently, the internal SpnegoFilter is never applied
> to the /logLevel path, even when Kerberos/SPNEGO is enabled for the
> cluster.
> 2. Authorization Failure: The LogLevel.Servlet implementation calls
> HttpServer2.hasAdministratorAccess(). In a secure cluster, this method
> requires a
> non-null request.getRemoteUser(). Because the authentication filter was
> skipped, the remote user is always null, leading to a permanent 403 Forbidden
> response for all users, including administrators.
> Impact:
> * Operational: Administrators cannot use the ozone insight tool or the web
> UI to troubleshoot production issues in secure clusters by increasing log
> verbosity.
> Steps to Reproduce (Secure Cluster):
> 1. Start a secure Ozone cluster with Kerberos enabled.
> 2. Attempt to access http://<om-host>:9874/logLevel via a browser or curl
> --negotiate.
> 3. The server will return 403 Forbidden with the message: "Unauthenticated
> users are not authorized to access this page."
> Proposed Fix:
> * Modify HttpServer2.addDefaultApps() (or addDefaultServlets) to ensure the
> logLevel servlet (and potentially others like stacks and conf) are registered
> with requireAuth = true.
> * Add a specific integration test in TestHttpServer2 or a new TestLogLevel
> to verify that authentication is correctly challenged and authorization is
> respected in both secure and non-secure modes.
> Additional Context:
> This issue is acknowledged in the documentation (Observability.md), which
> states that the /logLevel endpoint is "not yet supported in secure
> environment."
> This bug report aims to formalize the requirement to fix this inconsistency.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
