This is an automated email from the ASF dual-hosted git repository.
weichiu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 643b80abf5a HDDS-14352. [doc] Add proxy user configuration
documentation to HttpFS (#9596)
643b80abf5a is described below
commit 643b80abf5a77cbf4bca2e493d0965d466d28b7d
Author: Siyao Meng <[email protected]>
AuthorDate: Tue Jan 13 10:02:25 2026 -0800
HDDS-14352. [doc] Add proxy user configuration documentation to HttpFS
(#9596)
Co-authored-by: Zita Dombi <[email protected]>
---
hadoop-hdds/docs/content/interface/HttpFS.md | 61 ++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/hadoop-hdds/docs/content/interface/HttpFS.md
b/hadoop-hdds/docs/content/interface/HttpFS.md
index a4eb7271a11..e91d41053c5 100644
--- a/hadoop-hdds/docs/content/interface/HttpFS.md
+++ b/hadoop-hdds/docs/content/interface/HttpFS.md
@@ -188,6 +188,67 @@ Set ACL | not implemented in
Ozone FileSystem API
Get ACL Status | not implemented in Ozone FileSystem API
Check access | not implemented in Ozone FileSystem API
+## Proxy User Configuration
+
+HttpFS supports proxy user (user impersonation) functionality, which allows a
user to perform operations on behalf of another user. This is useful when
HttpFS is used as a gateway and you want to allow certain users to impersonate
other users.
+
+To configure proxy users, you need to add the following properties to
`httpfs-site.xml`.
+
+### Configuration Properties
+
+For each user that should be allowed to perform impersonation, you need to
configure two properties:
+
+1. **`httpfs.proxyuser.#USER#.hosts`**: List of hosts from which the user is
allowed to perform impersonation operations.
+2. **`httpfs.proxyuser.#USER#.groups`**: List of groups whose users can be
impersonated by the specified user.
+
+Replace `#USER#` with the actual username of the user who should be allowed to
perform impersonation.
+
+### Example Configuration
+
+```xml
+<property>
+ <name>httpfs.proxyuser.knoxuser.hosts</name>
+ <value>*</value>
+ <description>
+ List of hosts the 'knoxuser' user is allowed to perform 'doAs'
+ operations.
+
+ The value can be the '*' wildcard or a comma-separated list of hostnames.
+
+ For multiple users, copy this property and replace the user name
+ in the property name.
+ </description>
+</property>
+
+<property>
+ <name>httpfs.proxyuser.knoxuser.groups</name>
+ <value>*</value>
+ <description>
+ List of groups the 'knoxuser' user is allowed to impersonate users
+ from to perform 'doAs' operations.
+
+ The value can be the '*' wildcard or a comma-separated list of group names.
+
+ For multiple users, copy this property and replace the user name
+ in the property name.
+ </description>
+</property>
+```
+
+In this example, the user `knoxuser` is allowed to impersonate any user from
any host. For production environments, it's recommended to restrict these
values to specific hosts and groups instead of using the wildcard `*`.
+
+### Troubleshooting
+
+If you encounter an error like:
+```
+User: user/host@REALM is not allowed to impersonate user01
+```
+
+This indicates that the proxy user configuration is missing or incorrect.
Ensure that:
+1. The `httpfs.proxyuser.#USER#.hosts` property is set with appropriate host
values
+2. The `httpfs.proxyuser.#USER#.groups` property is set with appropriate group
values
+3. The HttpFS service has been restarted after configuration changes
+
## Hadoop user and developer documentation about HttpFS
* [HttpFS Server
Setup](https://hadoop.apache.org/docs/stable/hadoop-hdfs-httpfs/ServerSetup.html)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
