[jira] [Commented] (HADOOP-12628) service level authorization check the combination of host and user

[Hadoop QA (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-12628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16806715#comment-16806715
 ] 

Hadoop QA commented on HADOOP-12628:
------------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m  
0s{color} | {color:blue} Docker mode activated. {color} |
| {color:red}-1{color} | {color:red} patch {color} | {color:red}  0m  7s{color} 
| {color:red} HADOOP-12628 does not apply to trunk. Rebase required? Wrong 
Branch? See https://wiki.apache.org/hadoop/HowToContribute for help. {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Issue | HADOOP-12628 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12964436/patch-for-hadoop-2.7.x.patch
 |
| Console output | 
https://builds.apache.org/job/PreCommit-HADOOP-Build/16092/console |
| Powered by | Apache Yetus 0.8.0   http://yetus.apache.org |


This message was automatically generated.



> service level authorization check the combination of host and user 
> -------------------------------------------------------------------
>
>                 Key: HADOOP-12628
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12628
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs
>    Affects Versions: 2.2.0, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 
> 2.7.2, 2.6.2, 2.6.3, 2.7.3, 2.6.4, 2.6.5, 2.7.4, 2.7.5, 2.7.6, 2.7.7
>         Environment: hadoop2.2.0
>            Reporter: mai shurong
>            Assignee: mai shurong
>            Priority: Major
>              Labels: patch
>         Attachments: patch-for-hadoop-2.2.x.patch, 
> patch-for-hadoop-2.5.x.patch, patch-for-hadoop-2.6.x.patch, 
> patch-for-hadoop-2.7.x.patch
>
>
> Service level authorization in hadoop2.2.x, hadoop2.5.x, hadoop2.6.x can only 
> check the user from client. Service level authorization in hadoop2.7.x add 
> the function of checking the host(ip) from client, but only can check host 
> and user independently and cannot check the combination of host and user.
> I add the function of checking the combination of host and user by the patch. 
> After put the patch,we can set the authorization of host-user pair in the 
> hadoop-policy.xml.Take security.client.protocol.acl for example:
> If we only let the hadoop_user1 from 192.168.0.1(ip) has the authorization, 
> we can set "hadoop_user1:192.168.0.1". So hadoop_user1 from other host but 
> 192.168.0.1 doesn't have the authorization. If we add the authorization of 
> hadoop_user2 from myhost.com.cn(hostname), we can set 
> "hadoop_user2:myhost.com.cn"; if we authorize hadoop_user3 from any host,we 
> just set "hadoop_user3" like before; if we want toauthorize any user from the 
> host 192.168.10.10, we can set "*:192.168.10.10".
> example：
> <property>
>     <name>security.client.protocol.acl</name>
>     
> <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
>  </property>
> It is also applied to the blocked access control list after hadoop2.6.0：
> example：
> <property>
>     <name>security.client.protocol.acl.blocked</name>
>     
> <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
>  </property>
> The format of access control list is completely Compatible.   
> The list of users and groups are both comma separated list of names. The two 
> lists are separated by a space.
> Add a blank at the beginning of the line if only a list of groups is to be 
> provided, equivalently a comma-separated list of users followed by a space or 
> nothing implies only a set of given users.A special value of * implies that 
> all users from any host are allowed to access the service.
> Example: 
> user1,user2 group1,group2 （user1,user2,group1,group2 from any host have the 
> authorization）
> user1:192.168.0.1,user2:myhost1.com.cn  
> group1:192.168.0.2,group2:myhost2.com.cn （user1 from 192.168.0.1, user2 from 
> myhost1.com.cn, group1 from 192.168.0.2,group2 from myhost2.com.cn have the 
> authorization） 
>   \*:192.168.0.1,*:myhost1.com.cn (any user from 192.168.0.1, any user from 
> myhost1.com.cn have the authorization）
>   \* (any user from any host have the authorization) 
> example1:
> <property>
>     <name>security.client.protocol.acl</name>
>     <value>*</value>
>  </property>
> example2:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>user1,user2 group1,group2</value>
>  </property>
>  
> example3:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>\*:192.168.0.1,*:myhost1.com.cn</value>
>  </property>
>  
> example3:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>user1:192.168.0.1,user2:myhost1.com.cn  
> group1:192.168.0.2,group2:myhost2.com.cn</value>
>  </property>
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org