[ https://issues.apache.org/jira/browse/HADOOP-15222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361799#comment-16361799 ]
Eric Yang commented on HADOOP-15222: ------------------------------------ [~lmccay] Sorry, until a better proposal is feasible to secure /log and /jmx, there is no good enough reason to justify the revert of HADOOP-13119. [~arpitagarwal]'s report was not valid on HADOOP-13119, and HADOOP-13119 does provide better security for authorized users than anonymous to access /log. I can not agree on the revert on HADOOP-13119 at this time. > Refine proxy user authorization to support multiple ACL list > ------------------------------------------------------------ > > Key: HADOOP-15222 > URL: https://issues.apache.org/jira/browse/HADOOP-15222 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 3.0.0 > Reporter: Eric Yang > Priority: Major > > This Jira is responding to follow up work for HADOOP-14077. The original > goal of HADOOP-14077 is to have ability to support multiple ACL lists. When > checking for proxy user authorization in AuthenticationFilter to ensure there > is a way to authorize normal users and admin users using separate proxy users > ACL lists. This was suggested in HADOOP-14060 to configure > AuthenticationFilterWithProxyUser this way: > AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser > This enables the second AuthenticationFilterWithProxyUser validates both > credentials claim by proxy user, and end user. > However, there is a side effect that unauthorized users are not properly > rejected with 403 FORBIDDEN message if there is no other web filter > configured to handle the required authorization work. > This JIRA is intend to discuss the work of HADOOP-14077 by either combine > StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a > AuthorizationFilterWithProxyUser as a final filter to evict unauthorized > user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false > positive in user authorization. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org