[
https://issues.apache.org/jira/browse/HADOOP-15922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16690402#comment-16690402
]
He Xiaoqiao commented on HADOOP-15922:
--------------------------------------
Hi [~eyang]
{quote}If the client is changed to proxy from client/host, then
hadoop.kms.proxyuser.client.hosts should include host:
conf.set("hadoop.kms.proxyuser.client.hosts", "localhost,host");
{quote}
In the unit test, try to use user 'client/host' impersonate 'foo/localhost'.
Actually, it is set for user 'client' about which users/groups/hosts can
impersonate to, using configuration key
'hadoop.kms.proxyuser.client.users'/'hadoop.kms.proxyuser.client.hosts' and it
is indeed valid. Impersonating user 'foo/localhost' can be passing auth since:
{code:java}
conf.set("hadoop.kms.proxyuser.client.users", "foo/localhost");
conf.set("hadoop.kms.proxyuser.client.hosts", "localhost");
{code}
It is not necessary to check groups if users can check pass, ref.
org.apache.hadoop.security.authorize.AccessControlList#isUserInList
{code:java}
public final boolean isUserInList(UserGroupInformation ugi) {
if (allAllowed || users.contains(ugi.getShortUserName())) {
return true;
} else if (!groups.isEmpty()) {
for (String group : ugi.getGroups()) {
if (groups.contains(group)) {
return true;
}
}
}
return false;
}
{code}
{quote}I am not sure why KMS doesn't use standard
hadoop.proxyuser.client.groups and hadoop.proxyuser.client.hosts.{quote}
Configuration prefix 'hadoop.kms' for KMS originate from HADOOP-10433, however
I do not find why KMS use no-standard configuration.
> DelegationTokenAuthenticationFilter get wrong doAsUser since it does not
> decode URL
> -----------------------------------------------------------------------------------
>
> Key: HADOOP-15922
> URL: https://issues.apache.org/jira/browse/HADOOP-15922
> Project: Hadoop Common
> Issue Type: Bug
> Components: common, kms
> Reporter: He Xiaoqiao
> Assignee: He Xiaoqiao
> Priority: Major
> Attachments: HADOOP-15922.001.patch, HADOOP-15922.002.patch,
> HADOOP-15922.003.patch, HADOOP-15922.004.patch
>
>
> DelegationTokenAuthenticationFilter get wrong doAsUser when proxy user from
> client is complete kerberos name (e.g., user/[email protected], actually it
> is acceptable), because DelegationTokenAuthenticationFilter does not decode
> DOAS parameter in URL which is encoded by {{URLEncoder}} at client.
> e.g. KMS as example:
> a. KMSClientProvider creates connection to KMS Server using
> DelegationTokenAuthenticatedURL#openConnection.
> b. If KMSClientProvider is a doAsUser, KMSClientProvider will put {{doas}}
> with url encoded user as one parameter of http request.
> {code:java}
> // proxyuser
> if (doAs != null) {
> extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
> }
> {code}
> c. when KMS server receives the request, it does not decode the proxy user.
> As result, KMS Server will get the wrong proxy user if this proxy user is
> complete Kerberos Name or it includes some special character. Some other
> authentication and authorization exception will throws next to it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
