[
https://issues.apache.org/jira/browse/HIVE-14737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15961200#comment-15961200
]
Johndee Burks edited comment on HIVE-14737 at 4/7/17 8:46 PM:
--------------------------------------------------------------
I have looked into this and the problem is the following code in the situation
of hive.server2.webui.use.spenego being set to false in a secure cluster.
[Code
Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/AdminAuthorizedServlet.java#L39]
{code}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Do the authorization
if (HttpServer.hasAdministratorAccess(getServletContext(), request,
response)) {
// Authorization is done. Just call super.
super.doGet(request, response);
{code}
In a secure cluster HttpServer.hasAdministratorAccess will always evaluate
false because of HADOOP_SECURITY_AUTHORIZATION. The code can be seen below.
[Code
Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/HttpServer.java#L259]
{code}
static boolean hasAdministratorAccess(
ServletContext servletContext, HttpServletRequest request,
HttpServletResponse response) throws IOException {
Configuration conf =
(Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
// If there is no authorization, anybody has administrator access.
if (!conf.getBoolean(
CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
return true;
}
{code}
I am fairly certain if HttpServer.hasAdministratorAccess is changed to
HttpServer. isInstrumentationAccessAllowed this would work without issue. I am
looking into the implications of making this change.
was (Author: johndee):
I have looked into this and the problem is the following code.
[Code
Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/AdminAuthorizedServlet.java#L39]
{code}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Do the authorization
if (HttpServer.hasAdministratorAccess(getServletContext(), request,
response)) {
// Authorization is done. Just call super.
super.doGet(request, response);
{code}
In a secure cluster HttpServer.hasAdministratorAccess will always evaluate
false because of HADOOP_SECURITY_AUTHORIZATION. The code can be seen below.
[Code
Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/HttpServer.java#L259]
{code}
static boolean hasAdministratorAccess(
ServletContext servletContext, HttpServletRequest request,
HttpServletResponse response) throws IOException {
Configuration conf =
(Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
// If there is no authorization, anybody has administrator access.
if (!conf.getBoolean(
CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
return true;
}
{code}
I am fairly certain if HttpServer.hasAdministratorAccess is changed to
HttpServer. isInstrumentationAccessAllowed this would work without issue. I am
looking into the implications of making this change.
> Problem accessing /logs in a Kerberized Hive Server 2 Web UI
> ------------------------------------------------------------
>
> Key: HIVE-14737
> URL: https://issues.apache.org/jira/browse/HIVE-14737
> Project: Hive
> Issue Type: Bug
> Affects Versions: 1.1.0
> Reporter: Matyas Orhidi
> Assignee: Johndee Burks
>
> The /logs menu fails with error [1] when the cluster is Kerberized. Other
> menu items are working properly.
> [1] HTTP ERROR: 401
> Problem accessing /logs/. Reason:
> Unauthenticated users are not authorized to access this page.
> Powered by Jetty://
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
