HADOOP-14047. Require admin to access KMS instrumentation servlets. Contributed by John Zhuge.

hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java

@@ -48,6 +48,8 @@ public class KMSConfiguration {
   public static final int HTTP_PORT_DEFAULT = 9600;
   public static final String HTTP_HOST_KEY = "hadoop.kms.http.host";
   public static final String HTTP_HOST_DEFAULT = "0.0.0.0";
+  public static final String HTTP_ADMINS_KEY =
+      "hadoop.kms.http.administrators";
 
   // SSL properties
   public static final String SSL_ENABLED_KEY = "hadoop.kms.ssl.enabled";

hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java

@@ -34,9 +34,7 @@
 import org.apache.hadoop.crypto.key.KeyProvider;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
 import org.apache.hadoop.crypto.key.KeyProviderFactory;
-import org.apache.hadoop.http.HttpServer2;
 import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.util.VersionInfo;
 import org.apache.log4j.PropertyConfigurator;
 import org.slf4j.Logger;
@@ -144,14 +142,6 @@ public void contextInitialized(ServletContextEvent sce) {
 
       kmsAudit = new KMSAudit(kmsConf);
 
-      // this is required for the the JMXJsonServlet to work properly.
-      // the JMXJsonServlet is behind the authentication filter,
-      // thus the '*' ACL.
-      sce.getServletContext().setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE,
-          kmsConf);
-      sce.getServletContext().setAttribute(HttpServer2.ADMINS_ACL,
-          new AccessControlList(AccessControlList.WILDCARD_ACL_VALUE));
-
       // intializing the KeyProvider
       String providerString = kmsConf.get(KMSConfiguration.KEY_PROVIDER_URI);
       if (providerString == null) {

hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java

@@ -27,6 +27,7 @@
 import org.apache.hadoop.conf.ConfigurationWithLogging;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.http.HttpServer2;
+import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.security.ssl.SSLFactory;
 import org.apache.hadoop.util.StringUtils;
 import org.slf4j.Logger;
@@ -84,6 +85,8 @@ public class KMSWebServer {
         .setConf(conf)
         .setSSLConf(sslConf)
         .authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX)
+        .setACL(new AccessControlList(conf.get(
+            KMSConfiguration.HTTP_ADMINS_KEY, " ")))
         .addEndpoint(endpoint)
         .build();
   }

hadoop-common-project/hadoop-kms/src/main/resources/kms-default.xml

@@ -37,6 +37,20 @@
     </description>
   </property>
 
+  <property>
+    <name>hadoop.kms.http.administrators</name>
+    <value></value>
+    <description>ACL for the admins, this configuration is used to control
+      who can access the default KMS servlets. The value should be a comma
+      separated list of users and groups. The user list comes first and is
+      separated by a space followed by the group list,
+      e.g. "user1,user2 group1,group2". Both users and groups are optional,
+      so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
+      are all valid (note the leading space in " group1"). '*' grants access
+      to all users and groups, e.g. '*', '* ' and ' *' are all valid.
+    </description>
+  </property>
+
   <property>
     <name>hadoop.kms.ssl.enabled</name>
     <value>false</value>

hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm

@@ -1063,13 +1063,13 @@ configuration properties instead.
 
 Environment Variable     | Configuration Property       | Configuration File
 -------------------------|------------------------------|--------------------
+KMS_TEMP                 | hadoop.http.temp.dir         | kms-site.xml
 KMS_HTTP_PORT            | hadoop.kms.http.port         | kms-site.xml
 KMS_MAX_HTTP_HEADER_SIZE | hadoop.http.max.request.header.size and hadoop.http.max.response.header.size | kms-site.xml
 KMS_MAX_THREADS          | hadoop.http.max.threads      | kms-site.xml
 KMS_SSL_ENABLED          | hadoop.kms.ssl.enabled       | kms-site.xml
 KMS_SSL_KEYSTORE_FILE    | ssl.server.keystore.location | ssl-server.xml
 KMS_SSL_KEYSTORE_PASS    | ssl.server.keystore.password | ssl-server.xml
-KMS_TEMP                 | hadoop.http.temp.dir         | kms-site.xml
 
 $H3 Default HTTP Services
 
@@ -1081,3 +1081,37 @@ Name               | Description
 /logs              | Display log files
 /stacks            | Display JVM stacks
 /static/index.html | The static home page
+
+To control the access to servlet `/conf`, `/jmx`, `/logLevel`, `/logs`,
+and `/stacks`, configure the following properties in `kms-site.xml`:
+
+```xml
+  <property>
+    <name>hadoop.security.authorization</name>
+    <value>true</value>
+    <description>Is service-level authorization enabled?</description>
+  </property>
+
+  <property>
+    <name>hadoop.security.instrumentation.requires.admin</name>
+    <value>true</value>
+    <description>
+      Indicates if administrator ACLs are required to access
+      instrumentation servlets (JMX, METRICS, CONF, STACKS).
+    </description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.http.administrators</name>
+    <value></value>
+    <description>ACL for the admins, this configuration is used to control
+      who can access the default KMS servlets. The value should be a comma
+      separated list of users and groups. The user list comes first and is
+      separated by a space followed by the group list,
+      e.g. "user1,user2 group1,group2". Both users and groups are optional,
+      so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
+      are all valid (note the leading space in " group1"). '*' grants access
+      to all users and groups, e.g. '*', '* ' and ' *' are all valid.
+    </description>
+  </property>
+```