From 4800976ae318d587389892b3987293f093202b71 Mon Sep 17 00:00:00 2001
From: Nihal Jain <nihaljain.cs@gmail.com>
Date: Tue, 25 Apr 2023 09:42:01 +0530
Subject: [PATCH] HBASE-27792 Guard Master/RS Dump Servlet behind admin walls
 (#5176)

---
 .../apache/hadoop/hbase/master/http/MasterDumpServlet.java    | 4 ++++
 .../apache/hadoop/hbase/regionserver/http/RSDumpServlet.java  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/http/MasterDumpServlet.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/http/MasterDumpServlet.java
index 6ed3419e831..3f2c3b4af7d 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/http/MasterDumpServlet.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/http/MasterDumpServlet.java
@@ -28,6 +28,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.ServerMetrics;
 import org.apache.hadoop.hbase.ServerName;
+import org.apache.hadoop.hbase.http.HttpServer;
 import org.apache.hadoop.hbase.master.HMaster;
 import org.apache.hadoop.hbase.master.ServerManager;
 import org.apache.hadoop.hbase.master.assignment.AssignmentManager;
@@ -46,6 +47,9 @@ public class MasterDumpServlet extends StateDumpServlet {
 
   @Override
   public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(), request, response)) {
+      return;
+    }
     HMaster master = (HMaster) getServletContext().getAttribute(HMaster.MASTER);
     assert master != null : "No Master in context!";
 
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/http/RSDumpServlet.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/http/RSDumpServlet.java
index fe9e41a960c..4c98c08b072 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/http/RSDumpServlet.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/http/RSDumpServlet.java
@@ -25,6 +25,7 @@ import java.util.Date;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.http.HttpServer;
 import org.apache.hadoop.hbase.ipc.CallQueueInfo;
 import org.apache.hadoop.hbase.monitoring.StateDumpServlet;
 import org.apache.hadoop.hbase.monitoring.TaskMonitor;
@@ -42,6 +43,9 @@ public class RSDumpServlet extends StateDumpServlet {
 
   @Override
   public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(), request, response)) {
+      return;
+    }
     HRegionServer hrs =
       (HRegionServer) getServletContext().getAttribute(HRegionServer.REGIONSERVER);
     assert hrs != null : "No RS in context!";