[
https://issues.apache.org/jira/browse/HADOOP-12389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740946#comment-14740946
]
Allen Wittenauer commented on HADOOP-12389:
-------------------------------------------
bq. If ProxyUsers#authorize is called when it should not be, it is a bug and
should be fixed rather than changing authorization scheme.
There is no difference between a user authenticating as themselves and a user
authenticating as themselves and requesting to proxy to their own account,
especially if we put in the clause about there mustn't already exist a proxy
config entry.
As to a bug, I'd love to go back to pre-2.5.0 NN HTTP handling before
everything got massively screwed up despite us (a year later) still dealing
with the fallout, but I don't see that happening. But again: it's sort of
irrelevant. There's no real difference here from a security perspective.
> allow self-impersonation
> ------------------------
>
> Key: HADOOP-12389
> URL: https://issues.apache.org/jira/browse/HADOOP-12389
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.0.0
> Reporter: Allen Wittenauer
>
> This is kind of dumb:
> org.apache.hadoop.security.authorize.AuthorizationException: User: aw is not
> allowed to impersonate aw
> Users should be able to impersonate themselves in secure and non-secure cases
> automatically, for free.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
