[
https://issues.apache.org/jira/browse/HADOOP-16287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832601#comment-16832601
]
Eric Yang commented on HADOOP-16287:
------------------------------------
[~daryn] {quote}-1 on returning a new auth cookie as the impersonated user.
It's insanely dangerous and will create bugs and/or security holes. The auth
cookie must be the authenticated user. Let's explore the unintended side
effects.{quote}
If the auth cookie is forwarded from proxy to end user, then end user got token
for proxy user (authenticated user). That does not sound right. It's either
no auth cookie returned, or the cookie is token for end user credential. This
prevents accidental leaks of impersonation power. The three points listed are
implementation mistake that can happen, if proxyuser or server code is not
written properly. Knox does shield hadoop.auth cookie from leaking. The
handling of hadoop.auth cookie between Hadoop and Knox should be private
conversation. If the operation between servers are multi-calls, the cached
token can reduce hitting KDC server for each call.
> KerberosAuthenticationHandler Trusted Proxy Support for Knox
> ------------------------------------------------------------
>
> Key: HADOOP-16287
> URL: https://issues.apache.org/jira/browse/HADOOP-16287
> Project: Hadoop Common
> Issue Type: New Feature
> Components: auth
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16287-001.patch
>
>
> Knox passes doAs with end user while accessing RM, WebHdfs Rest Api.
> Currently KerberosAuthenticationHandler sets the remote user to Knox. Need
> Trusted Proxy Support by reading doAs query parameter.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
