[ https://issues.apache.org/jira/browse/HADOOP-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16432734#comment-16432734 ]
Arpit Agarwal edited comment on HADOOP-12953 at 4/10/18 6:30 PM: ----------------------------------------------------------------- Thanks for taking up this change [~bharatviswa]. We probably need to add hdfsBuilderSetCreateProxyUser to hdfs.h, hdfs_shim, libhdfs_wapper_defines.h etc. Also it may be helpful to define a new method hdfsConnectAsProxyUser, similar to hdfsConnectAsUser. Nitpick: single statement if/else blocks should still have curly braces. e.g. here: {code} if (bld->createProxyUser) methodToCall = "newInstanceAsProxyUser"; else methodToCall = "newInstance"; {code} was (Author: arpitagarwal): Thanks for taking up this change [~bharatviswa]. We probably need to add hdfsBuilderSetCreateProxyUser to hdfs.h, hdfs_shim, libhdfs_wapper_defines.h etc. Also it may be helpful to define a new method hdfsConnectAsProxyUser, similar to hdfsConnectAsUser. Nitpick: single statement if/else blocks should still have curly braces. e.e. here: {code} if (bld->createProxyUser) methodToCall = "newInstanceAsProxyUser"; else methodToCall = "newInstance"; {code} > New API for libhdfs to get FileSystem object as a proxy user > ------------------------------------------------------------ > > Key: HADOOP-12953 > URL: https://issues.apache.org/jira/browse/HADOOP-12953 > Project: Hadoop Common > Issue Type: Improvement > Components: fs > Affects Versions: 2.7.2 > Reporter: Uday Kale > Assignee: Uday Kale > Priority: Major > Attachments: HADOOP-12953.001.patch, HADOOP-12953.002.patch, > HADOOP-12953.003.patch > > > Secure impersonation in HDFS needs users to create proxy users and work with > those. In libhdfs, the hdfsBuilder accepts a userName but calls > FileSytem.get() or FileSystem.newInstance() with the user name to connect as. > But, both these interfaces use getBestUGI() to get the UGI for the given > user. This is not necessarily true for all services whose end-users would not > access HDFS directly, but go via the service to first get authenticated with > LDAP, then the service owner can impersonate the end-user to eventually > provide the underlying data. > For such services that authenticate end-users via LDAP, the end users are not > authenticated by Kerberos, so their authentication details wont be in the > Kerberos ticket cache. HADOOP_PROXY_USER is not a thread-safe way to get this > either. > Hence the need for the new API for libhdfs to get the FileSystem object as a > proxy user using the 'secure impersonation' recommendations. This approach is > secure since HDFS authenticates the service owner and then validates the > right for the service owner to impersonate the given user as allowed by > hadoop.proxyusers.* parameters of HDFS config. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org