HADOOP-14047. Require admin to access KMS instrumentation servlets. Contributed by John Zhuge.
This commit is contained in:
parent
663e683adf
commit
d88497d44a
@ -48,6 +48,8 @@ public class KMSConfiguration {
|
||||
public static final int HTTP_PORT_DEFAULT = 9600;
|
||||
public static final String HTTP_HOST_KEY = "hadoop.kms.http.host";
|
||||
public static final String HTTP_HOST_DEFAULT = "0.0.0.0";
|
||||
public static final String HTTP_ADMINS_KEY =
|
||||
"hadoop.kms.http.administrators";
|
||||
|
||||
// SSL properties
|
||||
public static final String SSL_ENABLED_KEY = "hadoop.kms.ssl.enabled";
|
||||
|
@ -34,9 +34,7 @@
|
||||
import org.apache.hadoop.crypto.key.KeyProvider;
|
||||
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
|
||||
import org.apache.hadoop.crypto.key.KeyProviderFactory;
|
||||
import org.apache.hadoop.http.HttpServer2;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||
import org.apache.hadoop.util.VersionInfo;
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
import org.slf4j.Logger;
|
||||
@ -144,14 +142,6 @@ public void contextInitialized(ServletContextEvent sce) {
|
||||
|
||||
kmsAudit = new KMSAudit(kmsConf);
|
||||
|
||||
// this is required for the the JMXJsonServlet to work properly.
|
||||
// the JMXJsonServlet is behind the authentication filter,
|
||||
// thus the '*' ACL.
|
||||
sce.getServletContext().setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE,
|
||||
kmsConf);
|
||||
sce.getServletContext().setAttribute(HttpServer2.ADMINS_ACL,
|
||||
new AccessControlList(AccessControlList.WILDCARD_ACL_VALUE));
|
||||
|
||||
// intializing the KeyProvider
|
||||
String providerString = kmsConf.get(KMSConfiguration.KEY_PROVIDER_URI);
|
||||
if (providerString == null) {
|
||||
|
@ -27,6 +27,7 @@
|
||||
import org.apache.hadoop.conf.ConfigurationWithLogging;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.http.HttpServer2;
|
||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||
import org.apache.hadoop.security.ssl.SSLFactory;
|
||||
import org.apache.hadoop.util.StringUtils;
|
||||
import org.slf4j.Logger;
|
||||
@ -84,6 +85,8 @@ public class KMSWebServer {
|
||||
.setConf(conf)
|
||||
.setSSLConf(sslConf)
|
||||
.authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX)
|
||||
.setACL(new AccessControlList(conf.get(
|
||||
KMSConfiguration.HTTP_ADMINS_KEY, " ")))
|
||||
.addEndpoint(endpoint)
|
||||
.build();
|
||||
}
|
||||
|
@ -37,6 +37,20 @@
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.http.administrators</name>
|
||||
<value></value>
|
||||
<description>ACL for the admins, this configuration is used to control
|
||||
who can access the default KMS servlets. The value should be a comma
|
||||
separated list of users and groups. The user list comes first and is
|
||||
separated by a space followed by the group list,
|
||||
e.g. "user1,user2 group1,group2". Both users and groups are optional,
|
||||
so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
|
||||
are all valid (note the leading space in " group1"). '*' grants access
|
||||
to all users and groups, e.g. '*', '* ' and ' *' are all valid.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.ssl.enabled</name>
|
||||
<value>false</value>
|
||||
|
@ -1063,13 +1063,13 @@ configuration properties instead.
|
||||
|
||||
Environment Variable | Configuration Property | Configuration File
|
||||
-------------------------|------------------------------|--------------------
|
||||
KMS_TEMP | hadoop.http.temp.dir | kms-site.xml
|
||||
KMS_HTTP_PORT | hadoop.kms.http.port | kms-site.xml
|
||||
KMS_MAX_HTTP_HEADER_SIZE | hadoop.http.max.request.header.size and hadoop.http.max.response.header.size | kms-site.xml
|
||||
KMS_MAX_THREADS | hadoop.http.max.threads | kms-site.xml
|
||||
KMS_SSL_ENABLED | hadoop.kms.ssl.enabled | kms-site.xml
|
||||
KMS_SSL_KEYSTORE_FILE | ssl.server.keystore.location | ssl-server.xml
|
||||
KMS_SSL_KEYSTORE_PASS | ssl.server.keystore.password | ssl-server.xml
|
||||
KMS_TEMP | hadoop.http.temp.dir | kms-site.xml
|
||||
|
||||
$H3 Default HTTP Services
|
||||
|
||||
@ -1081,3 +1081,37 @@ Name | Description
|
||||
/logs | Display log files
|
||||
/stacks | Display JVM stacks
|
||||
/static/index.html | The static home page
|
||||
|
||||
To control the access to servlet `/conf`, `/jmx`, `/logLevel`, `/logs`,
|
||||
and `/stacks`, configure the following properties in `kms-site.xml`:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.security.authorization</name>
|
||||
<value>true</value>
|
||||
<description>Is service-level authorization enabled?</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.security.instrumentation.requires.admin</name>
|
||||
<value>true</value>
|
||||
<description>
|
||||
Indicates if administrator ACLs are required to access
|
||||
instrumentation servlets (JMX, METRICS, CONF, STACKS).
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.http.administrators</name>
|
||||
<value></value>
|
||||
<description>ACL for the admins, this configuration is used to control
|
||||
who can access the default KMS servlets. The value should be a comma
|
||||
separated list of users and groups. The user list comes first and is
|
||||
separated by a space followed by the group list,
|
||||
e.g. "user1,user2 group1,group2". Both users and groups are optional,
|
||||
so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2"
|
||||
are all valid (note the leading space in " group1"). '*' grants access
|
||||
to all users and groups, e.g. '*', '* ' and ' *' are all valid.
|
||||
</description>
|
||||
</property>
|
||||
```
|
Loading…
Reference in New Issue
Block a user