[
https://issues.apache.org/jira/browse/HADOOP-10448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoy Antony updated HADOOP-10448:
----------------------------------
Attachment: HADOOP-10448.patch
Thanks for the comments [~daryn]. I have made changes to the patch based on
comments.
bq. Less synchronization is always good, removing all synchronization will
cause race conditions accessing the non-thread safe data structures during a
refresh.
Though synchronization is removed, it is still safe for different threads to
share the instance of ImpersonationProvider. The instance of
ImpersonationProvider is effectively immutable and it is safely published by
storing its reference in a _volatile_ field.
bq. Does it make sense for get*ConfKey methods to be part of the api? That
seems like an implementation detail of a conf based provider that is
inapplicable to other abstract providers.
I agree and have created an interface - _ImpersonationProvider_ . This will be
implemented by _DefaultImpersonationProvider_ and the above methods are part of
_DefaultImpersonationProvider_.
bq. I'm just curious what alternate implementation you intend to use?
My requirement is to manage the proxyusers via group membership in addition to
the config based proxyusers. Users belonging to group s_<username> can
impersonate <username> .
So the sample implementation is as follows:
{code:title=SudoGroupBasedImpersonationProvider.java|borderStyle=solid}
/**
* Custom class which allows impersonation if the superuser belongs to sudo group
* The sudo groupname is determined based on the name of the user to be
impersonated.
*
*/
public class SudoGroupBasedImpersonationProvider extends
DefaultImpersonationProvider{
public void authorize(UserGroupInformation user,
String remoteAddress) throws AuthorizationException {
UserGroupInformation superUser = user.getRealUser();
if (superUser == null) {
return;
}
//form the group name as in s_PROXIEDUSER
String groupName = "s_" + user.getShortUserName();
//check if the any of the superuser's group matches the sudo group
for (String group : superUser.getGroupNames()) {
if (group.equals(groupName)){
//match found , authorize impersonation
return;
}
}
//revert to default proxy logic
super.authorize(user, remoteAddress);
}
}
{code}
> Support pluggable mechanism to specify proxy user settings
> ----------------------------------------------------------
>
> Key: HADOOP-10448
> URL: https://issues.apache.org/jira/browse/HADOOP-10448
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 2.3.0
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Attachments: HADOOP-10448.patch, HADOOP-10448.patch,
> HADOOP-10448.patch, HADOOP-10448.patch, HADOOP-10448.patch, HADOOP-10448.patch
>
>
> We have a requirement to support large number of superusers. (users who
> impersonate as another user)
> (http://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html)
> Currently each superuser needs to be defined in the core-site.xml via
> proxyuser settings. This will be cumbersome when there are 1000 entries.
> It seems useful to have a pluggable mechanism to specify proxy user settings
> with the current approach as the default.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
