[
https://issues.apache.org/jira/browse/HADOOP-16095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Yang updated HADOOP-16095:
-------------------------------
Description:
External services or YARN service may need to call into WebHDFS or YARN REST
API on behave of the user using web protocols. It would be good to support
impersonation mechanism in AuthenticationFilter or similar extensions. The
general design is similar to UserGroupInformation.doAs in RPC layer.
The calling service credential is verified as a proxy user coming from a
trusted host using Hadoop proxy user ACL. If proxy user ACL allows proxy user
to become doAs user. HttpRequest object will report REMOTE_USER as doAs user.
This feature enables web application logic to be written with minimal changes
to call Hadoop API with UserGroupInformation wrapper.
h2. HTTP Request
A few possible options:
1. Using query parameter to pass doAs user:
{code:java}
POST /service?doAs=foobar
Authorization: [proxy user Kerberos token]
{code}
2. Use HTTP Header to pass doAs user:
{code:java}
POST /service
Authorization: [proxy user Kerberos token]
x-hadoop-doas: foobar
{code}
h2. HTTP Response
403 - Forbidden (Including impersonation is not allowed)
h2. Proxy User ACL requirement
Proxy user kerberos token maps to a service principal, such as
yarn/host1.example.com. The host part of the credential and HTTP request origin
are both validated with *hadoop.proxyuser.yarn.hosts* ACL. doAs user group
membership or identity is checked with either *hadoop.proxyuser.yarn.groups* or
*hadoop.proxyuser.yarn.users*. This governs the caller is coming from
authorized host and belong to authorized group.
was:
External services or YARN service may need to call into WebHDFS or YARN REST
API on behave of the user using web protocols. It would be good to support
impersonation mechanism in AuthenticationFilter or similar extensions. The
general design is similar to UserGroupInformation.doAs in RPC layer.
The calling service credential is verified as a proxy user coming from a
trusted host using Hadoop proxy user ACL. If proxy user ACL allows proxy user
to become doAs user. HttpRequest object will report REMOTE_USER as doAs user.
This feature enables web application logic to be written with minimal changes
to call Hadoop API with UserGroupInformation wrapper.
h2. Http Request
A few possible options:
1. Using query parameter to pass doAs user:
{code}
POST /service?doAs=foobar
Authorization: [proxy user Kerberos token]
{code}
2. Use HTTP Header to pass doAs user:
{code}
POST /service
Authorization: [proxy user Kerberos token]
x-hadoop-doas: foobar
{code}
h2. Response
403 - Forbidden (Including impersonation is not allowed)
h2. Proxy User ACL requirement
Proxy user kerberos token maps to a service principal, such as
yarn/host1.example.com. The host part of the credential and HTTP request
origin are both validated with *hadoop.proxyuser.yarn.hosts* ACL. doAs user
group membership or identity is checked with either
*hadoop.proxyuser.yarn.groups* or *hadoop.proxyuser.yarn.users*. This governs
the caller is coming from authorized host and belong to authorized group.
> Support impersonation for AuthenticationFilter
> ----------------------------------------------
>
> Key: HADOOP-16095
> URL: https://issues.apache.org/jira/browse/HADOOP-16095
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
>
> External services or YARN service may need to call into WebHDFS or YARN REST
> API on behave of the user using web protocols. It would be good to support
> impersonation mechanism in AuthenticationFilter or similar extensions. The
> general design is similar to UserGroupInformation.doAs in RPC layer.
> The calling service credential is verified as a proxy user coming from a
> trusted host using Hadoop proxy user ACL. If proxy user ACL allows proxy user
> to become doAs user. HttpRequest object will report REMOTE_USER as doAs user.
> This feature enables web application logic to be written with minimal changes
> to call Hadoop API with UserGroupInformation wrapper.
> h2. HTTP Request
> A few possible options:
> 1. Using query parameter to pass doAs user:
> {code:java}
> POST /service?doAs=foobar
> Authorization: [proxy user Kerberos token]
> {code}
> 2. Use HTTP Header to pass doAs user:
> {code:java}
> POST /service
> Authorization: [proxy user Kerberos token]
> x-hadoop-doas: foobar
> {code}
> h2. HTTP Response
> 403 - Forbidden (Including impersonation is not allowed)
> h2. Proxy User ACL requirement
> Proxy user kerberos token maps to a service principal, such as
> yarn/host1.example.com. The host part of the credential and HTTP request
> origin are both validated with *hadoop.proxyuser.yarn.hosts* ACL. doAs user
> group membership or identity is checked with either
> *hadoop.proxyuser.yarn.groups* or *hadoop.proxyuser.yarn.users*. This governs
> the caller is coming from authorized host and belong to authorized group.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
