8b00f9f0b1
The Hadoop AccessControlList allows us to specify admins of the webUI via a list of users and/or groups. Admins of the WebUI can mutate the system, potentially seeing sensitive data or modifying the system. hbase.security.authentication.spnego.admin.users is a comma-separated list of users who are admins. hbase.security.authentication.spnego.admin.groups is a comma-separated list of groups whose membership are admins. Either of these configuration properties may also contain an asterisk (*) which denotes "any entity" (e.g user, group). Previously, when a user was denied from some endpoint that was designated for admins, they received an HTTP/401. In this case, it is more correct to return HTTP/403 as they were correctly authenticated, but they were disallowed from fetching the given resource. This commit incorporates this change. hbase.security.authentication.ui.config.protected also exists for users who have sensitive information stored in the Hadoop service configuration and want to limit access to this endpoint. By default, the Hadoop configuration endpoint is not protected and any authenticated user can access it. The test is based off of work by Nihal Jain in HBASE-20472. Co-authored-by: Nihal Jain <nihaljain.cs@gmail.com> Signed-off-by: Sean Busbey <busbey@apache.org> |
||
---|---|---|
.. | ||
main | ||
site |