[ https://issues.apache.org/jira/browse/HADOOP-15222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379563#comment-16379563 ]
Eric Yang edited comment on HADOOP-15222 at 2/28/18 1:12 AM: ------------------------------------------------------------- Today, hadoop offers two roles, cluster admin, and normal users. New system monitor role might be required for separation of duty for service hosting companies. The following table shows a rough sketch of roles required to map to Hadoop web applications: HDFS | /logs | cluster admin | | /jmx | system monitor | | /conf | cluster admin | | /stacks | system monitor | YARN | /logs | cluster admin | | /jmx | system monitor | | /conf | cluster admin | This separation will prevent leaks of customer information. was (Author: eyang): Today, hadoop offers two roles, cluster admin, and normal users. New system admin roles might be required for separation of duty for service hosting companies. The following table shows a rough sketch of roles required to map to Hadoop web applications: HDFS | /logs | cluster admin | | /jmx | system monitor | | /conf | cluster admin | | /stacks | system monitor | YARN | /logs | cluster admin | | /jmx | system monitor | | /conf | cluster admin | This separation will prevent leaks of customer information. > Refine proxy user authorization to support multiple ACL list > ------------------------------------------------------------ > > Key: HADOOP-15222 > URL: https://issues.apache.org/jira/browse/HADOOP-15222 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 3.0.0 > Reporter: Eric Yang > Priority: Major > > This Jira is responding to follow up work for HADOOP-14077. The original > goal of HADOOP-14077 is to have ability to support multiple ACL lists. The > original problem is a separation of duty use case where the Hadoop cluster > hosting company monitors Hadoop cluster through jmx. Application logs and > hdfs contents should not be visible to hosting company system administrators. > When checking for proxy user authorization in AuthenticationFilter to ensure > there is a way to authorize normal users and admin users using separate proxy > users ACL lists. This was suggested in HADOOP-14060 to configure > AuthenticationFilterWithProxyUser this way: > AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser > This enables the second AuthenticationFilterWithProxyUser validates both > credentials claim by proxy user, and end user. > However, there is a side effect that unauthorized users are not properly > rejected with 403 FORBIDDEN message if there is no other web filter > configured to handle the required authorization work. > This JIRA is intend to discuss the work of HADOOP-14077 by either combine > StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a > AuthorizationFilterWithProxyUser as a final filter to evict unauthorized > user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false > positive in user authorization and impersonation. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org