Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-20472

InfoServer doesnot honour any acl set by the admin

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Duplicate
    • None
    • None
    • security, UI
    • None

    Description

      The adminsAcl property can be used to restrict access to certain sections of the web UI only to a particular set of users/groups. But in hbase,  adminAcl variable for InfoServer is always null, rendering it to not honour any acl set by the admin. In fact I could not find any property in hbase to specify acl list for web server.

      Analysis:

      • InfoSever object forgets to set any adminAcl in the builder object for http server.
      public InfoServer(String name, String bindAddress, int port, boolean findPort,
final Configuration c) {
    .
    .
   
    HttpServer.Builder builder =
new org.apache.hadoop.hbase.http.HttpServer.Builder();
    .
    .

    this.httpServer = builder.build();
}

      See InfoServer constructor

      • http server retreives a null value and sets it as adminsAcl, which is passed to createWebAppContext() method
      private HttpServer(final Builder b) throws IOException {
    .
    .
    .

    this.adminsAcl = b.adminsAcl;
    this.webAppContext = createWebAppContext(b.name, b.conf, adminsAcl, appDir);
    
    .
    .
}

      See L527 HttpServer.java

      • This method next sets ADMIN_ACL attribute for the servlet context to null
      private static WebAppContext createWebAppContext(String name,
Configuration conf, AccessControlList adminsAcl, final String appDir) {
    WebAppContext ctx = new WebAppContext();
    .
    .

    ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);

    .
    .
}
      • Now any page having HttpServer.hasAdministratorAccess() will allow access to everyone, making this check useless. 
      @Override
public void doGet(HttpServletRequest request, HttpServletResponse response
) throws ServletException, IOException {

    // Do the authorization
    if (!HttpServer.hasAdministratorAccess(getServletContext(), request,
    response)) {
    return;
    }

.
.
}

      For example See L104 LogLevel.java

      • hasAdministratorAccess() checks for the following and returns true, in any case as ADMIN_ACL is always null
      public static boolean hasAdministratorAccess(
ServletContext servletContext, HttpServletRequest request,
HttpServletResponse response) throws IOException {
    .    
    .

    if (servletContext.getAttribute(ADMINS_ACL) != null &&
        !userHasAdministratorAccess(servletContext, remoteUser)) {
      response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
         + remoteUser + " is unauthorized to access this page.");
       return false;
    }
    return true;
}

      See line 1196 in HttpServer

       

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. HBASE-17115 HMaster/HRegion Info Server does not honour admin.acl

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              nihaljain.cs Nihal Jain
              nihaljain.cs Nihal Jain
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: