[
https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16847729#comment-16847729
]
Eric Yang commented on HADOOP-16314:
------------------------------------
[~Prabhu Joseph] Thank you for the patch. I think this part of code can be
removed:
{code:java}
+ //if (this.securityEnabled) {
+ // server.initSpnego(conf, hostName, usernameConfKey, keytabConfKey);
+ //}
{code}
The rest looks good to me.
> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>
> Key: HADOOP-16314
> URL: https://issues.apache.org/jira/browse/HADOOP-16314
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Eric Yang
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16314-001.patch, Hadoop Web Security.xlsx,
> scan.txt
>
>
> In the enclosed spreadsheet, it shows the list of web applications deployed
> by Hadoop, and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent. Most of entry point
> do not support ?doAs parameter. This creates problem for secure gateway like
> Knox to proxy Hadoop web interface on behave of the end user. When the
> receiving end does not check for ?doAs flag, web interface would be accessed
> using proxy user credential. This can lead to all kind of security holes
> using path traversal to exploit Hadoop.
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to
> solve the web impersonation problem. This task is to track changes required
> in Hadoop code base to apply authentication filter globally for each of the
> web service port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
