[
https://issues.apache.org/jira/browse/MAPREDUCE-6845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15857507#comment-15857507
]
Yuanbo Liu commented on MAPREDUCE-6845:
---------------------------------------
[~jlowe] I tag you here and hope to get your thoughts. Thanks in advance.
> Job history server requires admin permission when accessing container log in
> secure environment, which is not correct
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: MAPREDUCE-6845
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-6845
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Reporter: Yuanbo Liu
>
> A typical url of container log in job history server is like this:
> {code}
> http://{job history server address}:19888/jobhistory/logs/{node manager
> address}:{port}/{container id}/{entity id}/{app owner}
> {code}
> When accessing it in secure environment, it requires authorization.
> Because the parent path {{/logs}} has {{AdminAuthorizedServlet}} defined in
> {{HttpServer2.java}}, the container log url will execute
> AdminAuthorizedServlet in the servlet chain and requires admin permission,
> which is wrong.
> The container log url has it own authorization mechanism, besides, If the
> user is the owner of the container but it doesn't belong to admins, then the
> user will not be allowed to access the container log url, and it is not
> reasonable.
> There are two ways to fix this defect:
> * change the parent path of container log url, for example, use "/clogs"
> instead of "/logs"
> * stop executing {{AdminAuthorizedServlet}} when accessing the child path of
> "/logs" in job history server.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: mapreduce-issues-h...@hadoop.apache.org
