[ 
https://issues.apache.org/jira/browse/HADOOP-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16428847#comment-16428847
 ] 

Bharat Viswanadham commented on HADOOP-12953:
---------------------------------------------

Attached the rebased patch, and also added testcases for newly added API's in 
FileSystem.java.

 

I am not much familiar with native code, not worked on adding new API's in 
native for same. Left as it is, as original author. If neeed, we can work on 
new jira.

 

> New API for libhdfs to get FileSystem object as a proxy user
> ------------------------------------------------------------
>
>                 Key: HADOOP-12953
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12953
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs
>    Affects Versions: 2.7.2
>            Reporter: Uday Kale
>            Assignee: Uday Kale
>            Priority: Major
>         Attachments: HADOOP-12953.001.patch, HADOOP-12953.002.patch, 
> HADOOP-12953.003.patch
>
>
> Secure impersonation in HDFS needs users to create proxy users and work with 
> those. In libhdfs, the hdfsBuilder accepts a userName but calls 
> FileSytem.get() or FileSystem.newInstance() with the user name to connect as. 
> But, both these interfaces use getBestUGI() to get the UGI for the given 
> user. This is not necessarily true for all services whose end-users would not 
> access HDFS directly, but go via the service to first get authenticated with 
> LDAP, then the service owner can impersonate the end-user to eventually 
> provide the underlying data.
> For such services that authenticate end-users via LDAP, the end users are not 
> authenticated by Kerberos, so their authentication details wont be in the 
> Kerberos ticket cache. HADOOP_PROXY_USER is not a thread-safe way to get this 
> either. 
> Hence the need for the new API for libhdfs to get the FileSystem object as a 
> proxy user using the 'secure impersonation' recommendations. This approach is 
>  secure since HDFS authenticates the service owner and then validates the 
> right for the service owner to impersonate the given user as allowed by 
> hadoop.proxyusers.* parameters of HDFS config.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to