[
https://issues.apache.org/jira/browse/HADOOP-15222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379563#comment-16379563
]
Eric Yang commented on HADOOP-15222:
------------------------------------
Today, hadoop offers two roles, cluster admin, and normal users. New system
admin roles might be required for separation of duty for service hosting
companies. The following table shows a rough sketch of roles required to map
to Hadoop web applications:
HDFS
| /logs | cluster admin |
| /jmx | system monitor |
| /conf | cluster admin |
| /stacks | system monitor |
YARN
| /logs | cluster admin |
| /jmx | system monitor |
| /conf | cluster admin |
This separation will prevent leaks of customer information.
> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>
> Key: HADOOP-15222
> URL: https://issues.apache.org/jira/browse/HADOOP-15222
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.0.0
> Reporter: Eric Yang
> Priority: Major
>
> This Jira is responding to follow up work for HADOOP-14077. The original
> goal of HADOOP-14077 is to have ability to support multiple ACL lists. The
> original problem is a separation of duty use case where the Hadoop cluster
> hosting company monitors Hadoop cluster through jmx. Application logs and
> hdfs contents should not be visible to hosting company system administrators.
> When checking for proxy user authorization in AuthenticationFilter to ensure
> there is a way to authorize normal users and admin users using separate proxy
> users ACL lists. This was suggested in HADOOP-14060 to configure
> AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both
> credentials claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly
> rejected with 403 FORBIDDEN message if there is no other web filter
> configured to handle the required authorization work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine
> StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a
> AuthorizationFilterWithProxyUser as a final filter to evict unauthorized
> user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false
> positive in user authorization and impersonation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
