[ https://issues.apache.org/jira/browse/HADOOP-16354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16859120#comment-16859120 ]
Eric Yang commented on HADOOP-16354: ------------------------------------ If AuthFilter is extended from AuthenticationFilter, then webhdfs doesn't honor ?doAs= flag. This breaks compatibility: https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Proxy_Users When user access webhdfs via Knox. Knox credential would be used. I think AuthFilter should extend from ProxyUserAuthenticationFilter to ensure that doAs flag is honored. AuthFilter only ignores doAs flag when DT is in use. > Enable AuthFilter as default for WebHdfs > ---------------------------------------- > > Key: HADOOP-16354 > URL: https://issues.apache.org/jira/browse/HADOOP-16354 > Project: Hadoop Common > Issue Type: Sub-task > Components: security > Affects Versions: 3.3.0 > Reporter: Prabhu Joseph > Assignee: Prabhu Joseph > Priority: Major > Attachments: HADOOP-16354-001.patch, HADOOP-16354-002.patch, > HADOOP-16354-003.patch > > > HADOOP-16314 provides an generic option to configure > ProxyUserAuthenticationFilterInitializer (Kerberos + doAs support) for all > the services. If this is not configured, AuthenticationFIlter is used for > NameNode UI and WebHdfs. Will enable AuthFilter as default for WebHdfs so > that it is backward compatible. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org