[
https://issues.apache.org/jira/browse/HDDS-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-6467:
-----------------------------
Description:
This might not be limited to OM, could affect SCM and others as well as they
may share the logic.
Repro:
1. kinit authenticated with Kerberos as user {{om}}
2. Then curl, but endpoint returns 403 Forbidden:
{code:bash}
$ curl -k --negotiate -u :
"https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 Unauthenticated users are not authorized to access this
page.</title>
</head>
<body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
this page.</h2>
<table>
<tr><th>URI:</th><td>/logLevel</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
this page.</td></tr>
<tr><th>SERVLET:</th><td>logLevel</td></tr>
</table>
</body>
</html>
{code}
OM log prints the user name is {{dr.who}}:
{code}
2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
{code}
The {{/, /stacks, /jmx, /conf}} endpoints are working just fine. But these four
doesn't seem to require auth at all (works even after {{kdestroy}} or without
{{--negotiate -u :}}) on the cluster:
{code:bash}
$ curl -k --negotiate -u : "https://<OM_HOST>:9875/"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
...
{code}
Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth configured
correctly. Above test is conducted on an actual cluster. Should be able to
repro in {{ozonesecure}} docker as well if it enables SPNEGO/SSL.
curl -v doesn't show any {{gss_init_sec_context() failed: : No Kerberos
credentials available}} message, indicating the server doesn't ask for SPNEGO
auth at all.
A correct SPNEGO negotiation should have {{Authorization: Negotiate AAA}}
header from client to server, then {{WWW-Authenticate: Negotiate BBB}} from
server to client.
was:
This might not be limited to OM, could affect SCM and others as well as they
may share the logic.
Repro:
1. kinit authenticated with Kerberos as user {{om}}
2. Then curl, but endpoint returns 403 Forbidden:
{code:bash}
$ curl -k --negotiate -u :
"https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 Unauthenticated users are not authorized to access this
page.</title>
</head>
<body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
this page.</h2>
<table>
<tr><th>URI:</th><td>/logLevel</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
this page.</td></tr>
<tr><th>SERVLET:</th><td>logLevel</td></tr>
</table>
</body>
</html>
{code}
OM log prints the user name is {{dr.who}}:
{code}
2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who is
unauthorized to access the page /logLevel.
{code}
The {{/, /stacks, /jmx, /conf}} endpoints are working just fine. But these four
doesn't seem to require auth at all (works even after {{kdestroy}} or without
{{--negotiate -u :}}) on the cluster:
{code:bash}
$ curl -k --negotiate -u : "https://<OM_HOST>:9875/"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
...
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any other head
content must come *after* these tags -->
<meta name="description" content="Ozone Manager">
<title>Ozone Manager</title>
<link href="static/bootstrap-3.4.1/css/bootstrap.min.css" rel="stylesheet">
<link href="static/hadoop.css" rel="stylesheet">
<link href="static/nvd3-1.8.5.min.css" rel="stylesheet">
<link href="static/ozone.css" rel="stylesheet">
</head>
<body ng-app="ozoneManager">
<header class="navbar navbar-inverse navbar-fixed-top bs-docs-nav">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed"
data-toggle="collapse" data-target="#navbar"
aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">Ozone Manager</a>
</div>
<navmenu
metrics="{ 'OM metrics' : '#!/metrics/ozoneManager', 'Rpc
metrics' : '#!/metrics/rpc'}"></navmenu>
</div>
</header>
<div class="container-fluid">
<ng-view></ng-view>
</div><!-- /.container -->
<script src="static/jquery-3.5.1.min.js"></script>
<script src="static/angular-1.8.0.min.js"></script>
<script src="static/angular-route-1.8.0.min.js"></script>
<script src="static/d3-3.5.17.min.js"></script>
<script src="static/nvd3-1.8.5.min.js"></script>
<script src="static/angular-nvd3-1.0.9.min.js"></script>
<script src="static/ozone.js"></script>
<script src="ozoneManager.js"></script>
<script src="static/bootstrap-3.4.1/js/bootstrap.min.js"></script>
</body>
</html>
{code}
Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth configured
correctly. Above test is conducted on an actual cluster. Should be able to
repro in {{ozonesecure}} docker as well if it enables SPNEGO/SSL.
curl -v doesn't show any {{gss_init_sec_context() failed: : No Kerberos
credentials available}} message, indicating the server doesn't ask for SPNEGO
auth at all.
A correct SPNEGO negotiation should have {{Authorization: Negotiate AAA}}
header from client to server, then {{WWW-Authenticate: Negotiate BBB}} from
server to client.
> OzoneManager /loglevel endpoint authentication is not working
> -------------------------------------------------------------
>
> Key: HDDS-6467
> URL: https://issues.apache.org/jira/browse/HDDS-6467
> Project: Apache Ozone
> Issue Type: Bug
> Components: OM
> Affects Versions: 1.3.0
> Reporter: Siyao Meng
> Priority: Major
>
> This might not be limited to OM, could affect SCM and others as well as they
> may share the logic.
> Repro:
> 1. kinit authenticated with Kerberos as user {{om}}
> 2. Then curl, but endpoint returns 403 Forbidden:
> {code:bash}
> $ curl -k --negotiate -u :
> "https://<OM_HOST>:9875/logLevel?log=org.apache.hadoop.security.UserGroupInformation"
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 Unauthenticated users are not authorized to access this
> page.</title>
> </head>
> <body><h2>HTTP ERROR 403 Unauthenticated users are not authorized to access
> this page.</h2>
> <table>
> <tr><th>URI:</th><td>/logLevel</td></tr>
> <tr><th>STATUS:</th><td>403</td></tr>
> <tr><th>MESSAGE:</th><td>Unauthenticated users are not authorized to access
> this page.</td></tr>
> <tr><th>SERVLET:</th><td>logLevel</td></tr>
> </table>
> </body>
> </html>
> {code}
> OM log prints the user name is {{dr.who}}:
> {code}
> 2022-03-17 04:26:10,916 WARN org.apache.hadoop.http.HttpServer2: User dr.who
> is unauthorized to access the page /logLevel.
> 2022-03-17 04:26:16,378 WARN org.apache.hadoop.http.HttpServer2: User dr.who
> is unauthorized to access the page /logLevel.
> {code}
> The {{/, /stacks, /jmx, /conf}} endpoints are working just fine. But these
> four doesn't seem to require auth at all (works even after {{kdestroy}} or
> without {{--negotiate -u :}}) on the cluster:
> {code:bash}
> $ curl -k --negotiate -u : "https://<OM_HOST>:9875/"
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one or more
> ...
> {code}
> Possibly the {{/logLevel}} endpoint doesn't have SPNEGO header/auth
> configured correctly. Above test is conducted on an actual cluster. Should be
> able to repro in {{ozonesecure}} docker as well if it enables SPNEGO/SSL.
> curl -v doesn't show any {{gss_init_sec_context() failed: : No Kerberos
> credentials available}} message, indicating the server doesn't ask for SPNEGO
> auth at all.
> A correct SPNEGO negotiation should have {{Authorization: Negotiate AAA}}
> header from client to server, then {{WWW-Authenticate: Negotiate BBB}} from
> server to client.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
