[jira] [Commented] (HADOOP-14786) HTTP default servlets do not require authentication when kerberos is enabled

[Brahma Reddy Battula (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-14786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16140275#comment-16140275
 ] 

Brahma Reddy Battula commented on HADOOP-14786:
-----------------------------------------------

bq.{noformat}
kdestroy
curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'
{noformat}
bq. Expect curl to fail, but it returns JMX anyway.

when {{hadoop.security.instrumentation.requires.admin}} configured as {{true}} 
also same behavior...? I think, can ensure only admin can access when this 
enabled..? did I miss anything..?
{code}
// If user is a static user and auth Type is null, that means
      // there is a non-security environment and no need authorization,
      // otherwise, do the authorization.
      final ServletContext servletContext = getServletContext();
      if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
          !isInstrumentationAccessAllowed(request, response)) {
        return;
      }
{code}



> HTTP default servlets do not require authentication when kerberos is enabled
> ----------------------------------------------------------------------------
>
>                 Key: HADOOP-14786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0
>            Reporter: John Zhuge
>            Assignee: John Zhuge
>
> The default HttpServer2 servlet /jmx, /conf, /logLevel, and /stack do not 
> require authentication when Kerberos is enabled.
> {code:java|title=HttpServer2#addDefaultServlets}
>   // set up default servlets
>   addServlet("stacks", "/stacks", StackServlet.class);
>   addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
>   addServlet("jmx", "/jmx", JMXJsonServlet.class);
>   addServlet("conf", "/conf", ConfServlet.class);
> {code}
> {code:java|title=HttpServer2#addServlet}
> public void addServlet(String name, String pathSpec,
>                        Class<? extends HttpServlet> clazz) {
>   addInternalServlet(name, pathSpec, clazz, false);
>   addFilterPathMapping(pathSpec, webAppContext);
> {code}
> {code:java|title=Httpserver2#addInternalServlet}
> addInternalServlet(…, bool requireAuth)
> …
> if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
>   LOG.info("Adding Kerberos (SPNEGO) filter to " + name);
> {code}
> {{requireAuth}} is {{false}} for the default servlets inside 
> {{addInternalServlet}}.
> The issue can be verified by running the following curl command against 
> NameNode web address when Kerberos is enabled:
> {noformat}
> kdestroy
> curl --negotiate -u: -k -sS 'https://<nn-web>:9871/jmx'
> {noformat}
> Expect curl to fail, but it returns JMX anyway.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org