[
https://issues.apache.org/jira/browse/HADOOP-15222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Yang updated HADOOP-15222:
-------------------------------
Description:
This Jira is responding to follow up work for HADOOP-14077. The original goal
of HADOOP-14077 is to have ability to support multiple ACL lists. The original
problem is a separation of duty use case where the Hadoop cluster hosting
company monitors Hadoop cluster through jmx. Application logs and hdfs
contents should not be visible to hosting company system administrators. When
checking for proxy user authorization in AuthenticationFilter to ensure there
is a way to authorize normal users and admin users using separate proxy users
ACL lists. This was suggested in HADOOP-14060 to configure
AuthenticationFilterWithProxyUser this way:
AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
This enables the second AuthenticationFilterWithProxyUser validates both
credentials claim by proxy user, and end user.
However, there is a side effect that unauthorized users are not properly
rejected with 403 FORBIDDEN message if there is no other web filter configured
to handle the required authorization work.
This JIRA is intend to discuss the work of HADOOP-14077 by either combine
StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a
AuthorizationFilterWithProxyUser as a final filter to evict unauthorized user,
or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false positive in
user authorization and impersonation.
was:
This Jira is responding to follow up work for HADOOP-14077. The original goal
of HADOOP-14077 is to have ability to support multiple ACL lists. When
checking for proxy user authorization in AuthenticationFilter to ensure there
is a way to authorize normal users and admin users using separate proxy users
ACL lists. This was suggested in HADOOP-14060 to configure
AuthenticationFilterWithProxyUser this way:
AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
This enables the second AuthenticationFilterWithProxyUser validates both
credentials claim by proxy user, and end user.
However, there is a side effect that unauthorized users are not properly
rejected with 403 FORBIDDEN message if there is no other web filter configured
to handle the required authorization work.
This JIRA is intend to discuss the work of HADOOP-14077 by either combine
StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a
AuthorizationFilterWithProxyUser as a final filter to evict unauthorized user,
or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false positive in
user authorization.
> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>
> Key: HADOOP-15222
> URL: https://issues.apache.org/jira/browse/HADOOP-15222
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Priority: Major
>
> This Jira is responding to follow up work for HADOOP-14077. The original
> goal of HADOOP-14077 is to have ability to support multiple ACL lists. The
> original problem is a separation of duty use case where the Hadoop cluster
> hosting company monitors Hadoop cluster through jmx. Application logs and
> hdfs contents should not be visible to hosting company system administrators.
> When checking for proxy user authorization in AuthenticationFilter to ensure
> there is a way to authorize normal users and admin users using separate proxy
> users ACL lists. This was suggested in HADOOP-14060 to configure
> AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both
> credentials claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly
> rejected with 403 FORBIDDEN message if there is no other web filter
> configured to handle the required authorization work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine
> StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a
> AuthorizationFilterWithProxyUser as a final filter to evict unauthorized
> user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false
> positive in user authorization and impersonation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
