[
https://issues.apache.org/jira/browse/HADOOP-6510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806737#action_12806737
]
Owen O'Malley commented on HADOOP-6510:
---------------------------------------
The authorization for proxy users needs to be factored out into a new class
hadoop.security.authorize.ProxyUsers that looks like:
{noformat}
@InterfaceAudience.Private
public class ProxyUsers {
public ProxyUsers(Configuration conf) { ... }
public void authorize(UserGroupInformation user, String remoteAddress) throws
AccessControlException { ... }
}
{noformat}
The configuration must be done on a per-user basis:
hadoop.proxyuser.bob.users = bobusers
hadoop.proxyuser.bob,ip-addresses = host1, host2
hadoop.proxyuser.owen.users = doug,sue,mygroup
hadoop.proxyuser.owen.ip-addresses = host3
so bob could impersonate and user in bobusers and owen could impersonate doug,
sue, or users in mygroup.
The ip-addresses can be hostnames.
TokenIdentifier shouldn't have getRealUserName only DelegationTokenIdentifier.
Your lines go much too long, please limit them to 80 chars.
You need to factor out the code to create a UGI from the connection.
> doAs for proxy user
> -------------------
>
> Key: HADOOP-6510
> URL: https://issues.apache.org/jira/browse/HADOOP-6510
> Project: Hadoop Common
> Issue Type: New Feature
> Reporter: Jitendra Nath Pandey
> Assignee: Jitendra Nath Pandey
> Attachments: HADOOP-6510.8.patch
>
>
> This jira will add support for a superuser authenticating on behalf of a
> proxy user.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
