Siyao Meng created HDDS-6467:
--------------------------------
Summary: OzoneManager /loglevel endpoint SPNEGO auth is broken
Key: HDDS-6467
URL: https://issues.apache.org/jira/browse/HDDS-6467
Project: Apache Ozone
Issue Type: Bug
Components: OM
Affects Versions: 1.3.0
Reporter: Siyao Meng
This might not be limited to OM, could affect SCM and others as well as they
may share the logic.
Repro:
1. Authenticated with Kerberos as `om` user
2. Then curl, but endpoint returns 403 Forbidden:
{code:bash}
$ curl -k --negotiate -u :
"https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 Unauthenticated users are not authorized to access this
page.</title>
</head>
<body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
this page.</h2>
<table>
<tr><th>URI:</th><td>/logLevel</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
this page.</td></tr>
<tr><th>SERVLET:</th><td>logLevel</td></tr>
</table>
</body>
</html>
```
OM log prints the user name is {{dr.who}}:
```
2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
```
Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth configured
correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
