[ https://issues.apache.org/jira/browse/HADOOP-17857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412007#comment-17412007 ]
Szilard Nemeth commented on HADOOP-17857: ----------------------------------------- Thanks [~epayne] for working on this, Just read through the description and comments, everything is clear for me and I like the simplistic way of solving this problem. It's also reassuring that you have been running with this change in production for over a year. So, latest patch looks to me and committed patch002 to trunk. Resolving this jira, if you want to backport to older branches (3.3 or even 3.2), please reopen. Thanks. > Check real user ACLs in addition to proxied user ACLs > ----------------------------------------------------- > > Key: HADOOP-17857 > URL: https://issues.apache.org/jira/browse/HADOOP-17857 > Project: Hadoop Common > Issue Type: Improvement > Affects Versions: 3.2.2, 2.10.1, 3.3.1 > Reporter: Eric Payne > Assignee: Eric Payne > Priority: Major > Attachments: HADOOP-17857.001.patch, HADOOP-17857.002.patch > > > In a secure cluster, it is possible to configure the services to allow a > super-user to proxy to a regular user and perform actions on behalf of the > proxied user (see [Proxy user - Superusers Acting On Behalf Of Other > Users|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]). > This is useful for automating server access for multiple different users in a > multi-tenant cluster. For example, this can be used by a super user > submitting jobs to a YARN queue, accessing HDFS files, scheduling Oozie > workflows, etc, which will then execute the service as the proxied user. > Usually when these services check ACLs to determine if the user has access to > the requested resources, the service only needs to check the ACLs for the > proxied user. However, it is sometimes desirable to allow the proxied user to > have access to the resources when only the real user has open ACLs. > For instance, let's say the user {{adm}} is the only user with submit ACLs to > the {{dataload}} queue, and the {{adm}} user wants to submit apps to the > {{dataload}} queue on behalf of users {{headless1}} and {{headless2}}. In > addition, we want to be able to bill {{headless1}} and {{headless2}} > separately for the YARN resources used in the {{dataload}} queue. In order to > do this, the apps need to run in the {{dataload}} queue as the respective > headless users. We could open up the ACLs to the {{dataload}} queue to allow > {{headless1}} and {{headless2}} to submit apps. But this would allow those > users to submit any app to that queue, and not be limited to just the data > loading apps, and we don't trust the {{headless1}} and {{headless2}} owners > to honor that restriction. > This JIRA proposes that we define a way to set up ACLs to restrict a > resource's access to a super-user, but when the access happens, run it as > the proxied user. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org