Thanks Vel. Shouldn't we make sure that "/service/plugins/policies" can't be invoked unless two way SSL is in place?
Colm. On Fri, May 12, 2017 at 6:03 PM, Velmurugan Periasamy <[email protected]> wrote: > Hi Colm: > > In kerberized environments, /service/plugins/secure/policies/download > should > be used for download and will be restricted to valid plugins as you pointed > out. /service/plugins/policies will need to be protected by two way SSL and > exists for backward compatibility. > > Thanks, > Vel > > From: Colm O hEigeartaigh <[email protected]> > Reply-To: "[email protected]" <[email protected]>, > "[email protected]" <[email protected]> > Date: Tuesday, May 2, 2017 at 8:50 AM > To: "[email protected]" <[email protected]> > Subject: Authorization for policy downloads > > Hi all, > > A quick question for something that is puzzling me. I can download policies > from then Admin service with no credentials like e.g.: > > curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop > > However, when my kerberized HDFS plugin tries to pull policies down (as the > "hdfs" user), I get an authorization error that the user is not allowed to > download the policies. I have to edit the "cl1_hadoop" configuration and > add the "hdfs" user to the "policy.download.auth.users" property. > > Why is this step necessary when I can just download the policies with no > credentials with curl? Are we looking at a security issue here? > > Colm. > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
