[
https://issues.apache.org/jira/browse/ATLAS-2824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16682627#comment-16682627
]
Larry McCay commented on ATLAS-2824:
------------------------------------
Couple comments:
{code}
+ if(allowTrustedProxy) { + String doAsUserName =
httpRequest.getParameter("doAs"); + + if (doAsUserName != null &&
isTrustedProxyUsers(doAsUserName) &&
isIpTrusted(httpRequest.getParameter("x-forwarded-host")) ) { +
{code}
* why not have trusted proxy enabled by default
* you may want to consider making the check for doAs user case-insensitive
* not sure you want to use x-forwarded-host here - if there is a LB in front
of a trusted proxy like Knox then the x-forwarded-host will be the load
balancer. Now, if there is a LB between Knox and Atlas then maybe you do want
that - in which case maybe you want to check both. This needs some additional
thought but I don't think the above is sufficient.
> Atlas authentication to support proxy-user
> ------------------------------------------
>
> Key: ATLAS-2824
> URL: https://issues.apache.org/jira/browse/ATLAS-2824
> Project: Atlas
> Issue Type: Bug
> Components: atlas-core
> Reporter: Nixon Rodrigues
> Assignee: Nixon Rodrigues
> Priority: Major
> Fix For: 1.2.0, 2.0.0
>
> Attachments: ATLAS-2824.patch
>
>
> Atlas authentication module should support the notion of proxy-user, who
> would be allowed to perform operations on behalf of other users i.e.
> impersonate other users - similar to Hadoop as documented
> [here|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html].
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
