[jira] [Commented] (MAPREDUCE-6845) Job history server requires admin permission when accessing container log in secure environment, which is not correct

Wed, 08 Feb 2017 06:37:05 -0800 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-6845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15858060#comment-15858060
 ] 

Jason Lowe commented on MAPREDUCE-6845:
---------------------------------------

I think there's confusion on the paths.  The '/logs' path in HttpServer2 refers 
to the path http://<jhsaddr>/logs, while the container logs path is 
http://<jhsaddr>/jobhistory/logs.  The JHS webapp is registered under the 
"jobhistory" prefix (see HistoryClientService#initializeWebApp).  Therefore one 
path is not a prefix of the other.  Our clusters are secure, and our non-admin 
users are able to access their job logs.

> Job history server requires admin permission when accessing container log in 
> secure environment, which is not correct
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-6845
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-6845
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>            Reporter: Yuanbo Liu
>
> A typical url of container log in job history server is like this:
> {code}
> http://{job history server address}:19888/jobhistory/logs/{node manager 
> address}:{port}/{container id}/{entity id}/{app owner}
> {code}
> When accessing it in secure environment, it requires authorization.
> Because the parent path {{/logs}} has {{AdminAuthorizedServlet}} defined in 
> {{HttpServer2.java}}, the container log url will execute 
> AdminAuthorizedServlet  in the servlet chain and requires admin permission, 
> which is wrong.
> The container log url has it own authorization mechanism, besides, If the 
> user is the owner of the container but it doesn't belong to admins, then the 
> user will not be allowed to access the container log url, and it is not 
> reasonable.
> There are two ways to fix this defect:
> * change the parent path of container log url, for example, use "/clogs" 
> instead of "/logs"
> * stop executing {{AdminAuthorizedServlet}} when accessing the child path of 
> "/logs" in job history server.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: mapreduce-issues-h...@hadoop.apache.org

Reply via email to