[
https://issues.apache.org/jira/browse/SLIDER-501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14169512#comment-14169512
]
Jonathan Maron commented on SLIDER-501:
---------------------------------------
I believe authorization is already addressed by Slider as follows:
1) The client does a preliminary check, based on user ID, for a cluster
directory (/users/<username>/.slider/cluster/<clustername>. If no directory is
found the client invocation fails. Therefore, a login other than the
originating user will not return the cluster in question. If two different
users do have the same cluster name, the associated info (application and
container IDs etc) will be different so there will be no overlap or
authorization concerns.
2) The listing of available applications to manage are also returned based on
client user name, so if the client invoking user's name is different that the
user name that launched a cluster he does not gain access to the application.
3) Assuming there is a way to get around the two first issues, service ACL
support is implemented in the AM, i.e. users and groups can be listed that are
allowed to manage Slider instances by specifying a comma delimited list of
users and groups for property "security.slider.protocol.acl".
> authorize client invocations based on user identity
> ---------------------------------------------------
>
> Key: SLIDER-501
> URL: https://issues.apache.org/jira/browse/SLIDER-501
> Project: Slider
> Issue Type: Bug
> Components: appmaster, client, security
> Reporter: Jonathan Maron
> Assignee: Jonathan Maron
>
> Need to ensure that the identity of the user requesting AM management
> operations is the same identity as the originating user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
