[
https://issues.apache.org/jira/browse/HADOOP-10650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoy Antony updated HADOOP-10650:
----------------------------------
Attachment: HADOOP-10650.patch
Submitting a patch which includes HADOOP-10649 also.
For each acl, it is possible to define a reverse acl by including ".reverse" as
the suffix.
For eg. For security.client.protocol.acl, the reverse ACL is read using key
security.client.protocol.acl.reverse
The protocol access is authorized if user is included in acl AND not included
in reverse acl
The key to specify default reverse acl is also defined. That will be
"security.service.authorization.default.acl.reverse"
> Add ability to specify a negative ACL (black list) of users and groups
> ----------------------------------------------------------------------
>
> Key: HADOOP-10650
> URL: https://issues.apache.org/jira/browse/HADOOP-10650
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Attachments: HADOOP-10650.patch
>
>
> Currently , it is possible to define a ACL (user and groups) for a service.
> To temporarily remove authorization for a set of users, administrator needs
> to remove the users from the specific group and this may be a lengthy process
> ( update ldap groups, flush caches on machines).
> If there is a facility to define a negative ACL for services, then
> administrator can disable users by specifying the users in negative ACL. In
> other words, one can specify a whitelist of users and groups as well as a
> blacklist of users and groups.
> One can also specify a default blacklist to disable the users from accessing
> any service.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
