Eric Yang created HADOOP-16314:
----------------------------------
Summary: Make sure all end point URL is covered by the same
AuthenticationFilter
Key: HADOOP-16314
URL: https://issues.apache.org/jira/browse/HADOOP-16314
Project: Hadoop Common
Issue Type: Improvement
Reporter: Eric Yang
In the enclosed spreadsheet, it shows the list of web applications deployed by
Hadoop, and filters applied to each entry point.
Hadoop web protocol impersonation has been inconsistent. Most of entry point
do not support ?doAs parameter. This creates problem for secure gateway like
Knox to proxy Hadoop web interface on behave of the end user. When the
receiving end does not check for ?doAs flag, web interface would be accessed
using proxy user credential. This can lead to all kind of security holes using
path traversal to exploit Hadoop.
In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to solve
the web impersonation problem. This task is to track changes required in
Hadoop code base to apply authentication filter globally for each of the web
service port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
