[
https://issues.apache.org/jira/browse/HADOOP-16287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836930#comment-16836930
]
Sunil Govindan commented on HADOOP-16287:
-----------------------------------------
Thanks [~Prabhu Joseph] and [~eyang]
In Summary, we ensure that in a secure cluster (where authentication is
kerberos), we will be adding this new filter (by using from an initialiser for
this filter which will be done in another Jira ) at the end of the filter chain.
With this new filter, incoming authenticated user will be also checked for 2
things.
# Whether incoming authenticated user (say for eg: knox) is a valid proxy user
or not (from proxy user configurations)
# Whether any doAs param is present in the same requests.
In such case, doAs user will be considered as the requested user for Hadoop.
Since this is very much configuration driven and not coming in default path, it
looks like a cleaner solution. Appreciate your thoughts
[~lmccay] [~vinodkv] [~daryn] [~leftnoteasy]
> KerberosAuthenticationHandler Trusted Proxy Support for Knox
> ------------------------------------------------------------
>
> Key: HADOOP-16287
> URL: https://issues.apache.org/jira/browse/HADOOP-16287
> Project: Hadoop Common
> Issue Type: New Feature
> Components: auth
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16287-001.patch, HADOOP-16287-002.patch,
> HADOOP-16287-004.patch, HADOOP-16287-005.patch, HADOOP-16827-003.patch
>
>
> Knox passes doAs with end user while accessing RM, WebHdfs Rest Api.
> Currently KerberosAuthenticationHandler sets the remote user to Knox. Need
> Trusted Proxy Support by reading doAs query parameter.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
