[ https://issues.apache.org/jira/browse/HIVE-14737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15961200#comment-15961200 ]
Johndee Burks edited comment on HIVE-14737 at 4/7/17 8:46 PM: -------------------------------------------------------------- I have looked into this and the problem is the following code in the situation of hive.server2.webui.use.spenego being set to false in a secure cluster. [Code Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/AdminAuthorizedServlet.java#L39] {code} protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Do the authorization if (HttpServer.hasAdministratorAccess(getServletContext(), request, response)) { // Authorization is done. Just call super. super.doGet(request, response); {code} In a secure cluster HttpServer.hasAdministratorAccess will always evaluate false because of HADOOP_SECURITY_AUTHORIZATION. The code can be seen below. [Code Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/HttpServer.java#L259] {code} static boolean hasAdministratorAccess( ServletContext servletContext, HttpServletRequest request, HttpServletResponse response) throws IOException { Configuration conf = (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE); // If there is no authorization, anybody has administrator access. if (!conf.getBoolean( CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) { return true; } {code} I am fairly certain if HttpServer.hasAdministratorAccess is changed to HttpServer. isInstrumentationAccessAllowed this would work without issue. I am looking into the implications of making this change. was (Author: johndee): I have looked into this and the problem is the following code. [Code Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/AdminAuthorizedServlet.java#L39] {code} protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Do the authorization if (HttpServer.hasAdministratorAccess(getServletContext(), request, response)) { // Authorization is done. Just call super. super.doGet(request, response); {code} In a secure cluster HttpServer.hasAdministratorAccess will always evaluate false because of HADOOP_SECURITY_AUTHORIZATION. The code can be seen below. [Code Link|https://github.com/apache/hive/blob/master/common/src/java/org/apache/hive/http/HttpServer.java#L259] {code} static boolean hasAdministratorAccess( ServletContext servletContext, HttpServletRequest request, HttpServletResponse response) throws IOException { Configuration conf = (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE); // If there is no authorization, anybody has administrator access. if (!conf.getBoolean( CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) { return true; } {code} I am fairly certain if HttpServer.hasAdministratorAccess is changed to HttpServer. isInstrumentationAccessAllowed this would work without issue. I am looking into the implications of making this change. > Problem accessing /logs in a Kerberized Hive Server 2 Web UI > ------------------------------------------------------------ > > Key: HIVE-14737 > URL: https://issues.apache.org/jira/browse/HIVE-14737 > Project: Hive > Issue Type: Bug > Affects Versions: 1.1.0 > Reporter: Matyas Orhidi > Assignee: Johndee Burks > > The /logs menu fails with error [1] when the cluster is Kerberized. Other > menu items are working properly. > [1] HTTP ERROR: 401 > Problem accessing /logs/. Reason: > Unauthenticated users are not authorized to access this page. > Powered by Jetty:// -- This message was sent by Atlassian JIRA (v6.3.15#6346)