[ 
https://issues.apache.org/jira/browse/HADOOP-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16432734#comment-16432734
 ] 

Arpit Agarwal commented on HADOOP-12953:
----------------------------------------

Thanks for taking up this change [~bharatviswa].

We probably need to add hdfsBuilderSetCreateProxyUser to hdfs.h, hdfs_shim, 
libhdfs_wapper_defines.h etc. 

Also it may be helpful to define a new method hdfsConnectAsProxyUser, similar 
to hdfsConnectAsUser.

Nitpick: single statement if/else blocks should still have curly braces. e.e. 
here:
{code}
            if (bld->createProxyUser)
                methodToCall = "newInstanceAsProxyUser";
            else
                methodToCall = "newInstance";
{code}

> New API for libhdfs to get FileSystem object as a proxy user
> ------------------------------------------------------------
>
>                 Key: HADOOP-12953
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12953
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs
>    Affects Versions: 2.7.2
>            Reporter: Uday Kale
>            Assignee: Uday Kale
>            Priority: Major
>         Attachments: HADOOP-12953.001.patch, HADOOP-12953.002.patch, 
> HADOOP-12953.003.patch
>
>
> Secure impersonation in HDFS needs users to create proxy users and work with 
> those. In libhdfs, the hdfsBuilder accepts a userName but calls 
> FileSytem.get() or FileSystem.newInstance() with the user name to connect as. 
> But, both these interfaces use getBestUGI() to get the UGI for the given 
> user. This is not necessarily true for all services whose end-users would not 
> access HDFS directly, but go via the service to first get authenticated with 
> LDAP, then the service owner can impersonate the end-user to eventually 
> provide the underlying data.
> For such services that authenticate end-users via LDAP, the end users are not 
> authenticated by Kerberos, so their authentication details wont be in the 
> Kerberos ticket cache. HADOOP_PROXY_USER is not a thread-safe way to get this 
> either. 
> Hence the need for the new API for libhdfs to get the FileSystem object as a 
> proxy user using the 'secure impersonation' recommendations. This approach is 
>  secure since HDFS authenticates the service owner and then validates the 
> right for the service owner to impersonate the given user as allowed by 
> hadoop.proxyusers.* parameters of HDFS config.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to