[jira] [Comment Edited] (YARN-7923) Refine proxy user authorization to support multiple ACL list

Mon, 12 Feb 2018 14:45:45 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361554#comment-16361554
 ] 

Eric Yang edited comment on YARN-7923 at 2/12/18 10:44 PM:
-----------------------------------------------------------

Sorry, filed with wrong project.


was (Author: eyang):
Sorry, failed with wrong project.

> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>
>                 Key: YARN-7923
>                 URL: https://issues.apache.org/jira/browse/YARN-7923
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>
> This Jira is responding to follow up work for HADOOP-14077.  The original 
> goal of HADOOP-14077 is to have ability to support multiple ACL lists.  When 
> checking for proxy user authorization in AuthenticationFilter to ensure there 
> is a way to authorize normal users and admin users using separate proxy users 
> ACL lists.  This was suggested in 
> [HADOOP-14060|https://issues.apache.org/jira/browse/HADOOP-14060?focusedCommentId=15875737&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-15875737]
>  to configure AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both 
> credentials claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly 
> rejected with 403 FORBIDDEN message if there is no other web filter 
> configured to handle the required authorization work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine 
> StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a 
> AuthorizationFilterWithProxyUser as a final filter to evict unauthorized 
> user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false 
> positive in user authorization.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to