Eric Yang created YARN-7923:

             Summary: Refine proxy user authorization to support multiple ACL 
                 Key: YARN-7923
             Project: Hadoop YARN
          Issue Type: Bug
          Components: security
    Affects Versions: 3.0.0
            Reporter: Eric Yang
            Assignee: Eric Yang

This Jira is responding to follow up work for HADOOP-14077.  The original goal 
of HADOOP-14077 is to have ability to support multiple ACL lists.  When 
checking for proxy user authorization in AuthenticationFilter to ensure there 
is a way to authorize normal users and admin users using separate proxy users 
ACL lists.  This was suggested in 
 to configure AuthenticationFilterWithProxyUser this way:


This enables the second AuthenticationFilterWithProxyUser validates both 
credentials claim by proxy user, and end user.

However, there is a side effect that unauthorized users are not properly 
rejected with 403 FORBIDDEN message if there is no other web filter configured 
to handle the required authorization work.

This JIRA is intend to discuss the work of HADOOP-14077 by either combine 
StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a 
AuthorizationFilterWithProxyUser as a final filter to evict unauthorized user, 
or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false positive in 
user authorization.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to