[jira] [Commented] (HADOOP-16354) Enable AuthFilter as default for WebHdfs

[Prabhu Joseph (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-16354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16859147#comment-16859147
 ] 

Prabhu Joseph commented on HADOOP-16354:
----------------------------------------

[~eyang] WebHdfs provides doas support indirectly through {{JspHelper#getUGI}}. 

{code}
if (doAsUserFromQuery != null) {
        // create and attempt to authorize a proxy user
        ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
        ProxyUsers.authorize(ugi, getRemoteAddr(request));
      }
{code}

All the three scenarios in 
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Proxy_Users
 works fine.

*Test Cases:*

{code}

Test Case 1: 
**************

A proxy request using Kerberos SPNEGO when security is on (knox impersonates 
ambari-qa)

[knox@pjosephdocker-1 hadoop]$ curl --negotiate -u : 
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/user/ambari-qa?doas=ambari-qa&op=GETFILESTATUS";
{"FileStatus":{"accessTime":0,"blockSize":0,"childrenNum":14,"fileId":16388,"group":"hdfs","length":0,"modificationTime":1559557387372,"owner":"ambari-qa","pathSuffix":"","permission":"770","replication":0,"storagePolicy":0,"type":"DIRECTORY"}}

2019-06-08 07:58:09,649 DEBUG common.JspHelper (JspHelper.java:getUGI(173)) - 
getUGI is returning: ambari-qa

Test Case 2: 
**************

A proxy request using Hadoop delegation token when security is on:

[knox@pjosephdocker-1 hadoop]$ curl --negotiate -u : 
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs";
{"Token":{"urlString":"IAAEa25veARoZGZzAIoBazYZx6CKAWtaJkugjgG_jgGkFDQ2gUTATHjMfowub5bl-SqLAwxmEldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuNzMuMTkwOjgwMjA"}}

[ambari-qa@pjosephdocker-1 ~]$ curl 
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/user/knox?op=GETFILESTATUS&delegation=IAAEa25veARoZGZzAIoBazYZx6CKAWtaJkugjgG_jgGkFDQ2gUTATHjMfowub5bl-SqLAwxmEldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuNzMuMTkwOjgwMjA";
{"FileStatus":{"accessTime":0,"blockSize":0,"childrenNum":0,"fileId":1394411,"group":"hadoop","length":0,"modificationTime":1559980208213,"owner":"knox","pathSuffix":"","permission":"755","replication":0,"storagePolicy":0,"type":"DIRECTORY"}}

2019-06-08 08:00:32,679 DEBUG common.JspHelper (JspHelper.java:getUGI(173)) - 
getUGI is returning: knox

{code}

Have initially using {{AuthFIlter}} to extend {{ProxyUserAuthenticationFilter}} 
but left it as the {{JspHelper#getUG}}I already does.



> Enable AuthFilter as default for WebHdfs
> ----------------------------------------
>
>                 Key: HADOOP-16354
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16354
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16354-001.patch, HADOOP-16354-002.patch, 
> HADOOP-16354-003.patch
>
>
> HADOOP-16314 provides an generic option to configure 
> ProxyUserAuthenticationFilterInitializer (Kerberos + doAs support) for all 
> the services. If this is not configured, AuthenticationFIlter is used for 
> NameNode UI and WebHdfs. Will enable AuthFilter as default for WebHdfs so 
> that it is backward compatible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org