Larry McCay commented on HADOOP-15222:

[~eyang] - IMO, we need to revert both HADOOP-14077 and HADOOP-13119 and then 
determine whether to address the original issue.

Let's please be clear on what that problem is - can you verify whether the 
following summarizes it properly?
 # There are deployments that only allow access through a single proxy entry 
 # Some resources that are accessible through proxies should only be accessible 
for admins
 # Proxyuser enforcement is generally used to restrict proxies from 
impersonating admins and super users for obvious reasons

Due to the paradox created by the facts in 2 and 3 above we have the following 
situation, we need to decide whether we should either:
 # Disable certain paths for proxy users as they are intended only for direct 
access by authenticated users and deployments described in #1 above are out of 
 # Open the proxyuser enforcement rules to allow admin access for specific paths

Personally, I don't believe that the fact that certain resources can't be 
accessed in deployments that only allow impersonation means that we should 
redefine the proxyuser enforcement strength.

I think that it is valid to consider strengthening the proxyuser enforcement to 
deny access to specific sensitive resources.

Whether or not certain resources are too sensitive for impersonation can be 
left up to the deployment.

> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>                 Key: HADOOP-15222
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15222
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Priority: Major
> This Jira is responding to follow up work for HADOOP-14077.  The original 
> goal of HADOOP-14077 is to have ability to support multiple ACL lists.  When 
> checking for proxy user authorization in AuthenticationFilter to ensure there 
> is a way to authorize normal users and admin users using separate proxy users 
> ACL lists.  This was suggested in HADOOP-14060 to configure 
> AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both 
> credentials claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly 
> rejected with 403 FORBIDDEN message if there is no other web filter 
> configured to handle the required authorization work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine 
> StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a 
> AuthorizationFilterWithProxyUser as a final filter to evict unauthorized 
> user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false 
> positive in user authorization.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to