Hi Colm: In kerberized environments, /service/plugins/secure/policies/download should be used for download and will be restricted to valid plugins as you pointed out. /service/plugins/policies will need to be protected by two way SSL and exists for backward compatibility.
Thanks, Vel From: Colm O hEigeartaigh <[email protected]> Reply-To: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Date: Tuesday, May 2, 2017 at 8:50 AM To: "[email protected]" <[email protected]> Subject: Authorization for policy downloads Hi all, A quick question for something that is puzzling me. I can download policies from then Admin service with no credentials like e.g.: curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop However, when my kerberized HDFS plugin tries to pull policies down (as the "hdfs" user), I get an authorization error that the user is not allowed to download the policies. I have to edit the "cl1_hadoop" configuration and add the "hdfs" user to the "policy.download.auth.users" property. Why is this step necessary when I can just download the policies with no credentials with curl? Are we looking at a security issue here? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
