[jira] [Commented] (HADOOP-15222) Refine proxy user authorization to support multiple ACL list

[Larry McCay (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-15222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361756#comment-16361756
 ] 

Larry McCay commented on HADOOP-15222:
--------------------------------------

Revert it from all branches and put it back to proper proxyuser rules 
enforcement.

Also, we should add the block of a configurable set of resources so that they 
can't be accessed via impersonation since impersonation isn't intended for 
admin users and some resources may be considered sensitive enough to limit to 
admins.

We can then have a discussion on whether we want to extend impersonated to 
admins or not.

I personally don't think we should but perhaps it can be controlled enough with 
proper config.

 

> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>
>                 Key: HADOOP-15222
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15222
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Priority: Major
>
> This Jira is responding to follow up work for HADOOP-14077.  The original 
> goal of HADOOP-14077 is to have ability to support multiple ACL lists.  When 
> checking for proxy user authorization in AuthenticationFilter to ensure there 
> is a way to authorize normal users and admin users using separate proxy users 
> ACL lists.  This was suggested in HADOOP-14060 to configure 
> AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both 
> credentials claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly 
> rejected with 403 FORBIDDEN message if there is no other web filter 
> configured to handle the required authorization work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine 
> StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a 
> AuthorizationFilterWithProxyUser as a final filter to evict unauthorized 
> user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false 
> positive in user authorization.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org