Revert "HADOOP-13707. If kerberos is enabled while HTTP SPNEGO is not configured, some links cannot be accessed. Contributed by Yuanbo Liu"

Change-Id: I946a466a43d56c73bb0135384e73cb8513595461 (cherry picked from commit 80ee5248b2dda1cb8d122d4f362f2f8cf02b9467)
2018-03-14 10:47:35 -07:00 · 2018-03-14 10:47:35 -07:00 · 252c2b4d52
parent 41fc7f80be
commit 252c2b4d52
6 changed files with 12 additions and 75 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfServlet.java
@ -20,7 +20,6 @@ package org.apache.hadoop.conf;
 import java.io.IOException;
 import java.io.Writer;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@ -59,12 +58,7 @@ public class ConfServlet extends HttpServlet {
  public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
-    // If user is a static user and auth Type is null, that means
+    if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
    // there is a non-security environment and no need authorization,
    // otherwise, do the authorization.
    final ServletContext servletContext = getServletContext();
    if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
        !HttpServer2.isInstrumentationAccessAllowed(servletContext,
                                                   request, response)) {
      return;
    }
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/AdminAuthorizedServlet.java
@ -19,7 +19,6 @@ package org.apache.hadoop.http;
 import java.io.IOException;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@ -36,13 +35,9 @@ public class AdminAuthorizedServlet extends DefaultServlet {
  @Override
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
-      throws ServletException, IOException {
+ throws ServletException, IOException {
-    // If user is a static user and auth Type is null, that means
+    // Do the authorization
-    // there is a non-security environment and no need authorization,
+    if (HttpServer2.hasAdministratorAccess(getServletContext(), request,
    // otherwise, do the authorization.
    final ServletContext servletContext = getServletContext();
    if (HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) ||
        HttpServer2.hasAdministratorAccess(servletContext, request,
        response)) {
      // Authorization is done. Just call super.
      super.doGet(request, response);
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@ -17,9 +17,6 @@
 */
 package org.apache.hadoop.http;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@ -1358,24 +1355,6 @@ public final class HttpServer2 implements FilterContainer {
    return sb.toString();
  }
  /**
   * check whether user is static and unauthenticated, if the
   * answer is TRUE, that means http sever is in non-security
   * environment.
   * @param servletContext the servlet context.
   * @param request the servlet request.
   * @return TRUE/FALSE based on the logic described above.
   */
  public static boolean isStaticUserAndNoneAuthType(
      ServletContext servletContext, HttpServletRequest request) {
    Configuration conf =
        (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
    final String authType = request.getAuthType();
    final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER,
        DEFAULT_HADOOP_HTTP_STATIC_USER);
    return authType == null && staticUser.equals(request.getRemoteUser());
  }
  /**
   * Checks the user has privileges to access to instrumentation servlets.
   * <p/>
@ -1473,14 +1452,9 @@ public final class HttpServer2 implements FilterContainer {
    @Override
    public void doGet(HttpServletRequest request, HttpServletResponse response)
-        throws ServletException, IOException {
+      throws ServletException, IOException {
-      // If user is a static user and auth Type is null, that means
+      if (!HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
-      // there is a non-security environment and no need authorization,
+                                                      request, response)) {
      // otherwise, do the authorization.
      final ServletContext servletContext = getServletContext();
      if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
          !HttpServer2.isInstrumentationAccessAllowed(servletContext,
              request, response)) {
        return;
      }
      response.setContentType("text/plain; charset=UTF-8");
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
@ -38,7 +38,6 @@ import javax.management.RuntimeMBeanException;
 import javax.management.openmbean.CompositeData;
 import javax.management.openmbean.CompositeType;
 import javax.management.openmbean.TabularData;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@ -170,12 +169,7 @@ public class JMXJsonServlet extends HttpServlet {
  @Override
  public void doGet(HttpServletRequest request, HttpServletResponse response) {
    try {
-      // If user is a static user and auth Type is null, that means
+      if (!isInstrumentationAccessAllowed(request, response)) {
      // there is a non-security environment and no need authorization,
      // otherwise, do the authorization.
      final ServletContext servletContext = getServletContext();
      if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
          !isInstrumentationAccessAllowed(request, response)) {
        return;
      }
      JsonGenerator jg = null;
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/log/LogLevel.java
@ -27,7 +27,6 @@ import java.util.regex.Pattern;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@ -324,13 +323,9 @@ public class LogLevel {
    public void doGet(HttpServletRequest request, HttpServletResponse response
        ) throws ServletException, IOException {
-      // If user is a static user and auth Type is null, that means
+      // Do the authorization
-      // there is a non-security environment and no need authorization,
+      if (!HttpServer2.hasAdministratorAccess(getServletContext(), request,
-      // otherwise, do the authorization.
+          response)) {
      final ServletContext servletContext = getServletContext();
      if (!HttpServer2.isStaticUserAndNoneAuthType(servletContext, request) &&
          !HttpServer2.hasAdministratorAccess(servletContext,
              request, response)) {
        return;
      }
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
@ -69,9 +69,6 @@ import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.Executor;
 import java.util.concurrent.Executors;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.DEFAULT_HADOOP_HTTP_STATIC_USER;
 import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_HTTP_STATIC_USER;
 public class TestHttpServer extends HttpServerFunctionalTest {
  static final Logger LOG = LoggerFactory.getLogger(TestHttpServer.class);
  private static HttpServer2 server;
@ -485,7 +482,7 @@ public class TestHttpServer extends HttpServerFunctionalTest {
    String serverURL = "http://"
        + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
    for (String servlet : new String[] { "conf", "logs", "stacks",
-        "logLevel", "jmx" }) {
+        "logLevel" }) {
      for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
        assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
            + servlet, user));
@ -493,18 +490,6 @@ public class TestHttpServer extends HttpServerFunctionalTest {
      assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
          serverURL + servlet, "userE"));
    }
    // hadoop.security.authorization is set as true while
    // hadoop.http.authentication.type's value is `simple`(default value)
    // in this case, static user has administrator access
    final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER,
        DEFAULT_HADOOP_HTTP_STATIC_USER);
    for (String servlet : new String[] {"conf", "logs", "stacks",
        "logLevel", "jmx"}) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(
          serverURL + servlet, staticUser));
    }
    myServer.stop();
  }