[ https://issues.apache.org/jira/browse/HADOOP-15162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16317583#comment-16317583 ]
Eric Yang commented on HADOOP-15162: ------------------------------------ [~daryn] Thank you for your reply. {quote} Based on the snippets of code that conclude with "if authentication are in place, server side code can be simplified to [...] UserGroupInformation.createRemoteUser(remoteUser);", I think you are suggesting that createRemote should auto-magically create a proxy user with the login user? If you say yes, I'll provide a litany of reasons why that'd be completely broken. If no, please more concisely state your use case.{quote} Proxy user credential should be verified if it can impersonate. In my usage, I am writing a component for YARN, and end user credential is verified in http request. If code is written as UGI.createRemoteUser(remoteUser), should there be a check to determine if the current service user can proxy? Some Hadoop PMC told me no because they assumed isSecurityEnabled == false, there should be no proxy ACL check. If this type of assumption is applied, then we will have components talking to other components without honoring proxy user ACL, and leading to part of Hadoop being completely insecure. This is the reason that I think createRemoteUser default authentication method to SIMPLE is a bad practice. The server should decide which authentication method to use, setup authentication method and verify proxy ACL explicitly. > UserGroupInformation.createRemoteUser hardcode authentication method to SIMPLE > ------------------------------------------------------------------------------ > > Key: HADOOP-15162 > URL: https://issues.apache.org/jira/browse/HADOOP-15162 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Eric Yang > > {{UserGroupInformation.createRemoteUser(String user)}} is hard coded > Authentication method to SIMPLE by HADOOP-10683. This by passed proxyuser > ACL check, isSecurityEnabled check, and allow caller to impersonate as > anyone. This method could be abused in the main code base, which can cause > part of Hadoop to become insecure without proxyuser check for both SIMPLE or > Kerberos enabled environment. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org