[jira] [Commented] (HADOOP-16354) Enable AuthFilter as default for WebHdfs

Mon, 10 Jun 2019 14:48:36 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16860359#comment-16860359
 ] 

Eric Yang commented on HADOOP-16354:
------------------------------------

[~Prabhu Joseph] Thank you for patch 004, it is closer to what we need, but I 
can't get it to work with lower case doas=, even though the patch seems to 
convert to lower case for doas.

{code}
[hdfs@eyang-1 hadoop-3.3.0-SNAPSHOT]$ curl --negotiate -u : "http://`hostname 
-f`:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs&doas=eyang"

{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
 to obtain user group information: 
org.apache.hadoop.security.authorize.AuthorizationException: User: eyang is not 
allowed to impersonate eyang"}}{code}

When using doAs, then it works as expected:
{code}
[hdfs@eyang-1 hadoop-3.3.0-SNAPSHOT]$ curl --negotiate -u : "http://`hostname 
-f`:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs&doAs=eyang"
{"Token":{"urlString":"HQAFZXlhbmcEaGRmcwCKAWtDUn5oigFrZ18CaAECFJ6Dq3M5Slq_QhusB9mHwZcj8axREldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuMTExLjE3OjkwMDAA"}}

[eyang@eyang-1 root]$ curl -L "http://`hostname 
-f`:50070/webhdfs/v1/user/hdfs/README.txt?op=GETFILESTATUS&delegation=HQAFZXlhbmcEaGRmcwCKAWtDUn5oigFrZ18CaAECFJ6Dq3M5Slq_QhusB9mHwZcj8axREldFQkhERlMgZGVsZWdhdGlvbhIxNzIuMjYuMTExLjE3OjkwMDAA"
{"RemoteException":{"exception":"AccessControlException","javaClassName":"org.apache.hadoop.security.AccessControlException","message":"Permission
 denied: user=eyang, access=EXECUTE, 
inode=\"/user/hdfs\":hdfs:hdfs:drwx------"}}
{code}


> Enable AuthFilter as default for WebHdfs
> ----------------------------------------
>
>                 Key: HADOOP-16354
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16354
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16354-001.patch, HADOOP-16354-002.patch, 
> HADOOP-16354-003.patch, HADOOP-16354-004.patch
>
>
> HADOOP-16314 provides an generic option to configure 
> ProxyUserAuthenticationFilterInitializer (Kerberos + doAs support) for all 
> the services. If this is not configured, AuthenticationFIlter is used for 
> NameNode UI and WebHdfs. Will enable AuthFilter as default for WebHdfs so 
> that it is backward compatible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to