[
https://issues.apache.org/jira/browse/HADOOP-12628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on HADOOP-12628 stopped by mai shurong.
--------------------------------------------
> service level authorization check the combination of host and user
> ------------------------------------------------------------------
>
> Key: HADOOP-12628
> URL: https://issues.apache.org/jira/browse/HADOOP-12628
> Project: Hadoop Common
> Issue Type: Improvement
> Components: fs
> Affects Versions: 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.4.1, 2.5.1, 2.5.2, 2.6.0,
> 2.6.1, 2.6.2
> Reporter: mai shurong
> Assignee: mai shurong
> Labels: improvement, patch
>
> Service level authorization in hadoop2.2.x can only check the user from
> client. Service level authorization in hadoop2.7.x add the function of
> checking the host(ip) from client, but only can check host and user
> independently and cannot check the combination of host and user.
> I add the function of checking the combination of host and user by the patch.
> After put the patch,we can set the authorization of host-user pair in the
> hadoop-policy.xml.Take security.client.protocol.acl for example:
> If we only let the hadoop_user1 from 192.168.0.1(ip) has the authorization,
> we can set "hadoop_user1:192.168.0.1". So hadoop_user1 from other host but
> 192.168.0.1 doesn't have the authorization. If we add the authorization of
> hadoop_user2 from myhost.com.cn(hostname), we can set
> "hadoop_user2:myhost.com.cn"; if we authorize hadoop_user3 from any host,we
> just set "hadoop_user3" like before; if we want toauthorize any user from the
> host 192.168.10.10, we can set "*:192.168.10.10".
> example:
> <property>
> <name>security.client.protocol.acl</name>
>
> <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
> </property>
> It is also applied to the blocked access control list after hadoop2.6.0:
> example:
> <property>
> <name>security.client.protocol.acl.blocked</name>
>
> <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
> </property>
> The format of access control list is completely Compatible.
> The list of users and groups are both comma separated list of names. The two
> lists are separated by a space.
> Add a blank at the beginning of the line if only a list of groups is to be
> provided, equivalently a comma-separated list of users followed by a space or
> nothing implies only a set of given users.A special value of * implies that
> all users from any host are allowed to access the service.
> Example:
> user1,user2 group1,group2 (user1,user2,group1,group2 from any host have the
> authorization)
> user1:192.168.0.1,user2:myhost1.com.cn
> group1:192.168.0.2,group2:myhost2.com.cn (user1 from 192.168.0.1, user2 from
> myhost1.com.cn, group1 from 192.168.0.2,group2 from myhost2.com.cn have the
> authorization)
> \*:192.168.0.1,*:myhost1.com.cn (any user from 192.168.0.1, any user from
> myhost1.com.cn have the authorization)
> \* (any user from any host have the authorization)
> example1:
> <property>
> <name>security.client.protocol.acl</name>
> <value>*</value>
> </property>
> example2:
> <property>
> <name>security.client.protocol.acl</name>
> <value>user1,user2 group1,group2</value>
> </property>
>
> example3:
> <property>
> <name>security.client.protocol.acl</name>
> <value>\*:192.168.0.1,*:myhost1.com.cn</value>
> </property>
>
> example3:
> <property>
> <name>security.client.protocol.acl</name>
> <value>user1:192.168.0.1,user2:myhost1.com.cn
> group1:192.168.0.2,group2:myhost2.com.cn</value>
> </property>
>
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
