hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13119) Web UI error accessing links which need authorization when Kerberos
Date Thu, 19 Jan 2017 00:22:26 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15829038#comment-15829038
] 

Allen Wittenauer commented on HADOOP-13119:
-------------------------------------------

I did a quick read through the JIRA, so I apologize if I've missed something.  But I think
there has been a big misunderstanding from the original design intent in this JIRA:

bq. Would expect as a user to be able to web interface logs link.

>From what I remember, there are certain sets of links that were designed not to be open
to end users in any way, shape, or form because they have a tendency to leak sensitive information
in "real world" use cases. /logs, for example, exposes file and directory names, amongst other
info.

The dfs.cluster.administrators setting was intended to give access to those "admin-only" links.
 (This clearly predates YARN.) The users in this group should almost certainly not be proxiable
accounts, as it opens up a whole new can of security worms with regards to secondary systems;
does your workflow scheduler allow anyone to run as any other user?

That said, I could see under extremely limited circumstances why proxying might be necessary.
 This falls under "enough rope to hang yourself"--it's a bad idea, but sometimes you have
no choice.  As long as one is careful, it might work out ok.

> Web UI error accessing links which need authorization when Kerberos
> -------------------------------------------------------------------
>
>                 Key: HADOOP-13119
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13119
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 2.7.4
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Yuanbo Liu
>              Labels: security
>         Attachments: HADOOP-13119.001.patch, HADOOP-13119.002.patch, HADOOP-13119.003.patch,
HADOOP-13119.004.patch, HADOOP-13119.005.patch, screenshot-1.png
>
>
> User Hadoop on secure mode.
> login as kdc user, kinit.
> start firefox and enable Kerberos
> access http://localhost:50070/logs/
> Get 403 authorization errors.
> only hdfs user could access logs.
> Would expect as a user to be able to web interface logs link.
> Same results if using curl:
> curl -v  --negotiate -u tester:  http://localhost:50070/logs/
>  HTTP/1.1 403 User tester is unauthorized to access this page.
> so:
> 1. either don't show links if hdfs user  is able to access.
> 2. provide mechanism to add users to web application realm.
> 3. note that we are pass authentication so the issue is authorization to /logs/
> suspect that /logs/ path is secure in webdescriptor so suspect users by default don't
have access to secure paths.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message