[
https://issues.apache.org/jira/browse/HADOOP-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhiyong zhang updated HADOOP-5851:
----------------------------------
Attachment: HADOOP-5851.patch
a) add another filter code named LdapIpDirFilter.java, will be installed as a
deployment descriptor (in web.xml).
b) program flowchart.
1. IP = HttpServletRequest.getRemoteAddr()
2. Ldap.search(uniqueMember:cn=IP) to find role.
2.a. if nothing found, 403 return
3. role A was found, from role A, extract userId and HDFS root paths
allowed, say PLIST.
4. log userId.
5. get PATH = HttpServletRequest.getPathInfo()
6. check if PATH or its parents is in PLIST
6.a. if not, 403 return.
7. access allowed, filter pass
c) use a Dummy LDAP Object server to do the unit test.
> proxy to call LDAP for IP lookup and get user ID and directories, validate
> requested URL
> ----------------------------------------------------------------------------------------
>
> Key: HADOOP-5851
> URL: https://issues.apache.org/jira/browse/HADOOP-5851
> Project: Hadoop Core
> Issue Type: New Feature
> Components: contrib/hdfsproxy
> Reporter: zhiyong zhang
> Assignee: zhiyong zhang
> Priority: Critical
> Attachments: HADOOP-5851.patch
>
>
> It is easy to manage user accounts using LDAP. by adding support for LDAP,
> proxy can do IP authorization in a headless fashion.
> when a user send a request, proxy extract IP address and request PathInfo
> from the request. then it searches the LDAP server to get the allowed HDFS
> root paths given the IP address. Proxy will match the user request PathInfo
> with the allowed HDFS root path, return 403 if it could not find a match.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
