HADOOP-14047. Require admin to access KMS instrumentation servlets. Contributed by John Zhuge.

This commit is contained in:
Xiao Chen 2017-02-06 13:14:17 -08:00
parent 663e683adf
commit d88497d44a
5 changed files with 55 additions and 12 deletions

View File

@ -48,6 +48,8 @@ public class KMSConfiguration {
public static final int HTTP_PORT_DEFAULT = 9600;
public static final String HTTP_HOST_KEY = "hadoop.kms.http.host";
public static final String HTTP_HOST_DEFAULT = "0.0.0.0";
public static final String HTTP_ADMINS_KEY =
"hadoop.kms.http.administrators";
// SSL properties
public static final String SSL_ENABLED_KEY = "hadoop.kms.ssl.enabled";

View File

@ -34,9 +34,7 @@
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderFactory;
import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.util.VersionInfo;
import org.apache.log4j.PropertyConfigurator;
import org.slf4j.Logger;
@ -144,14 +142,6 @@ public void contextInitialized(ServletContextEvent sce) {
kmsAudit = new KMSAudit(kmsConf);
// this is required for the the JMXJsonServlet to work properly.
// the JMXJsonServlet is behind the authentication filter,
// thus the '*' ACL.
sce.getServletContext().setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE,
kmsConf);
sce.getServletContext().setAttribute(HttpServer2.ADMINS_ACL,
new AccessControlList(AccessControlList.WILDCARD_ACL_VALUE));
// intializing the KeyProvider
String providerString = kmsConf.get(KMSConfiguration.KEY_PROVIDER_URI);
if (providerString == null) {

View File

@ -27,6 +27,7 @@
import org.apache.hadoop.conf.ConfigurationWithLogging;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.util.StringUtils;
import org.slf4j.Logger;
@ -84,6 +85,8 @@ public class KMSWebServer {
.setConf(conf)
.setSSLConf(sslConf)
.authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX)
.setACL(new AccessControlList(conf.get(
KMSConfiguration.HTTP_ADMINS_KEY, " ")))
.addEndpoint(endpoint)
.build();
}

View File

@ -37,6 +37,20 @@
</description>
</property>
<property>
<name>hadoop.kms.http.administrators</name>
<value></value>
<description>ACL for the admins, this configuration is used to control
who can access the default KMS servlets. The value should be a comma
separated list of users and groups. The user list comes first and is
separated by a space followed by the group list,
e.g. "user1,user2 group1,group2". Both users and groups are optional,
so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
are all valid (note the leading space in " group1"). '*' grants access
to all users and groups, e.g. '*', '* ' and ' *' are all valid.
</description>
</property>
<property>
<name>hadoop.kms.ssl.enabled</name>
<value>false</value>

View File

@ -1063,13 +1063,13 @@ configuration properties instead.
Environment Variable | Configuration Property | Configuration File
-------------------------|------------------------------|--------------------
KMS_TEMP | hadoop.http.temp.dir | kms-site.xml
KMS_HTTP_PORT | hadoop.kms.http.port | kms-site.xml
KMS_MAX_HTTP_HEADER_SIZE | hadoop.http.max.request.header.size and hadoop.http.max.response.header.size | kms-site.xml
KMS_MAX_THREADS | hadoop.http.max.threads | kms-site.xml
KMS_SSL_ENABLED | hadoop.kms.ssl.enabled | kms-site.xml
KMS_SSL_KEYSTORE_FILE | ssl.server.keystore.location | ssl-server.xml
KMS_SSL_KEYSTORE_PASS | ssl.server.keystore.password | ssl-server.xml
KMS_TEMP | hadoop.http.temp.dir | kms-site.xml
$H3 Default HTTP Services
@ -1081,3 +1081,37 @@ Name | Description
/logs | Display log files
/stacks | Display JVM stacks
/static/index.html | The static home page
To control the access to servlet `/conf`, `/jmx`, `/logLevel`, `/logs`,
and `/stacks`, configure the following properties in `kms-site.xml`:
```xml
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
<description>Is service-level authorization enabled?</description>
</property>
<property>
<name>hadoop.security.instrumentation.requires.admin</name>
<value>true</value>
<description>
Indicates if administrator ACLs are required to access
instrumentation servlets (JMX, METRICS, CONF, STACKS).
</description>
</property>
<property>
<name>hadoop.kms.http.administrators</name>
<value></value>
<description>ACL for the admins, this configuration is used to control
who can access the default KMS servlets. The value should be a comma
separated list of users and groups. The user list comes first and is
separated by a space followed by the group list,
e.g. "user1,user2 group1,group2". Both users and groups are optional,
so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
are all valid (note the leading space in " group1"). '*' grants access
to all users and groups, e.g. '*', '* ' and ' *' are all valid.
</description>
</property>
```