[jira] [Commented] (HADOOP-16095) Support impersonation for AuthenticationFilter
[ https://issues.apache.org/jira/browse/HADOOP-16095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16840542#comment-16840542 ] Eric Yang commented on HADOOP-16095: The patch 004 was the original patch that posted in Hadoop security mailing list on Feb 11, 2019. This patch covers a new AuthenticationFilter that enables impersonation at web protocol. It also covers patch to apply AuthenticationFilter globally to HDFS and YARN applications. The core filter is refined in HADOOP-16287. The application of the filter is filed as another issue HADOOP-16314 to ensure all entry points are covered. > Support impersonation for AuthenticationFilter > -- > > Key: HADOOP-16095 > URL: https://issues.apache.org/jira/browse/HADOOP-16095 > Project: Hadoop Common > Issue Type: New Feature > Components: security >Reporter: Eric Yang >Assignee: Eric Yang >Priority: Major > Attachments: HADOOP-16095.004.patch > > > External services or YARN service may need to call into WebHDFS or YARN REST > API on behave of the user using web protocols. It would be good to support > impersonation mechanism in AuthenticationFilter or similar extensions. The > general design is similar to UserGroupInformation.doAs in RPC layer. > The calling service credential is verified as a proxy user coming from a > trusted host verifying Hadoop proxy user ACL on the server side. If proxy > user ACL allows proxy user to become doAs user. HttpRequest object will > report REMOTE_USER as doAs user. This feature enables web application logic > to be written with minimal changes to call Hadoop API with > UserGroupInformation.doAs() wrapper. > h2. HTTP Request > A few possible options: > 1. Using query parameter to pass doAs user: > {code:java} > POST /service?doAs=foobar > Authorization: [proxy user Kerberos token] > {code} > 2. Use HTTP Header to pass doAs user: > {code:java} > POST /service > Authorization: [proxy user Kerberos token] > x-hadoop-doas: foobar > {code} > h2. HTTP Response > 403 - Forbidden (Including impersonation is not allowed) > h2. Proxy User ACL requirement > Proxy user kerberos token maps to a service principal, such as > yarn/host1.example.com. The host part of the credential and HTTP request > origin are both validated with *hadoop.proxyuser.yarn.hosts* ACL. doAs user > group membership or identity is checked with either > *hadoop.proxyuser.yarn.groups* or *hadoop.proxyuser.yarn.users*. This governs > the caller is coming from authorized host and belong to authorized group. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-16095) Support impersonation for AuthenticationFilter
[ https://issues.apache.org/jira/browse/HADOOP-16095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16762209#comment-16762209 ] Eric Yang commented on HADOOP-16095: The reason for this proposal is the existing doas query parameter is written as part of hdfs logic instead of being part of security filter. {code:java} hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/resources/DoAsParam.java: public static final String NAME = "doas"; hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/java/org/apache/hadoop/fs/http/client/HttpFSFileSystem.java: public static final String DO_AS_PARAM = "doas";{code} It would be good if this is generalized to be reusable by YARN and Ozone. > Support impersonation for AuthenticationFilter > -- > > Key: HADOOP-16095 > URL: https://issues.apache.org/jira/browse/HADOOP-16095 > Project: Hadoop Common > Issue Type: New Feature > Components: security >Reporter: Eric Yang >Assignee: Eric Yang >Priority: Major > > External services or YARN service may need to call into WebHDFS or YARN REST > API on behave of the user using web protocols. It would be good to support > impersonation mechanism in AuthenticationFilter or similar extensions. The > general design is similar to UserGroupInformation.doAs in RPC layer. > The calling service credential is verified as a proxy user coming from a > trusted host verifying Hadoop proxy user ACL on the server side. If proxy > user ACL allows proxy user to become doAs user. HttpRequest object will > report REMOTE_USER as doAs user. This feature enables web application logic > to be written with minimal changes to call Hadoop API with > UserGroupInformation.doAs() wrapper. > h2. HTTP Request > A few possible options: > 1. Using query parameter to pass doAs user: > {code:java} > POST /service?doAs=foobar > Authorization: [proxy user Kerberos token] > {code} > 2. Use HTTP Header to pass doAs user: > {code:java} > POST /service > Authorization: [proxy user Kerberos token] > x-hadoop-doas: foobar > {code} > h2. HTTP Response > 403 - Forbidden (Including impersonation is not allowed) > h2. Proxy User ACL requirement > Proxy user kerberos token maps to a service principal, such as > yarn/host1.example.com. The host part of the credential and HTTP request > origin are both validated with *hadoop.proxyuser.yarn.hosts* ACL. doAs user > group membership or identity is checked with either > *hadoop.proxyuser.yarn.groups* or *hadoop.proxyuser.yarn.users*. This governs > the caller is coming from authorized host and belong to authorized group. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org