hadoop-mapreduce-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuanbo Liu (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (MAPREDUCE-6845) Job history server requires admin permission when accessing container log in secure environment, which is not correct
Date Thu, 09 Feb 2017 03:20:41 GMT

     [ https://issues.apache.org/jira/browse/MAPREDUCE-6845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Yuanbo Liu resolved MAPREDUCE-6845.
-----------------------------------
    Resolution: Not A Problem

> Job history server requires admin permission when accessing container log in secure environment,
which is not correct
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-6845
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-6845
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>            Reporter: Yuanbo Liu
>
> A typical url of container log in job history server is like this:
> {code}
> http://{job history server address}:19888/jobhistory/logs/{node manager address}:{port}/{container
id}/{entity id}/{app owner}
> {code}
> When accessing it in secure environment, it requires authorization.
> Because the parent path {{/logs}} has {{AdminAuthorizedServlet}} defined in {{HttpServer2.java}},
the container log url will execute AdminAuthorizedServlet  in the servlet chain and requires
admin permission, which is wrong.
> The container log url has it own authorization mechanism, besides, If the user is the
owner of the container but it doesn't belong to admins, then the user will not be allowed
to access the container log url, and it is not reasonable.
> There are two ways to fix this defect:
> * change the parent path of container log url, for example, use "/clogs" instead of "/logs"
> * stop executing {{AdminAuthorizedServlet}} when accessing the child path of "/logs"
in job history server.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: mapreduce-dev-help@hadoop.apache.org


Mime
View raw message