Eric Yang commented on HADOOP-15222:

[~lmccay] Thank you for the summary.  This is aligned with the original problem 
statement.  Role based ACL in standard J2EE web application would be the right 
approach to solve the authorization problem.  User can describe in web.xml 
which url resource are allowed by roles.  Roles are mapped to groups of users.  
It would be nice to do the same in Hadoop.  Hadoop web applications don't quite 
follow J2EE design pattern.  This made the problem hard to solve for Hadoop.  
We can start by turning Hadoop jetty Java code back to configuration, and maps 
to roles.  In doing so, we might finish in 2-3 years of hard labour.  There 
might be better ways to resolve this issue that we need to explore.

HADOOP-13119 is back ported to Hadoop 2.8.x as a new feature in Hadoop 2.8.  Do 
we revert HADOOP-13119 from 2.8.x or we keep HADOOP-13119 as the temp solution 
until the new work is completed?

> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>                 Key: HADOOP-15222
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15222
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Priority: Major
> This Jira is responding to follow up work for HADOOP-14077.  The original 
> goal of HADOOP-14077 is to have ability to support multiple ACL lists.  When 
> checking for proxy user authorization in AuthenticationFilter to ensure there 
> is a way to authorize normal users and admin users using separate proxy users 
> ACL lists.  This was suggested in HADOOP-14060 to configure 
> AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both 
> credentials claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly 
> rejected with 403 FORBIDDEN message if there is no other web filter 
> configured to handle the required authorization work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine 
> StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a 
> AuthorizationFilterWithProxyUser as a final filter to evict unauthorized 
> user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false 
> positive in user authorization.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to