[jira] [Commented] (HADOOP-15222) Refine proxy user authorization to support multiple ACL list

Mon, 12 Feb 2018 20:16:31 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-15222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361799#comment-16361799
 ] 

Eric Yang commented on HADOOP-15222:
------------------------------------

[~lmccay] Sorry, until a better proposal is feasible to secure /log and /jmx, 
there is no good enough reason to justify the revert of HADOOP-13119.  
[~arpitagarwal]'s report was not valid on HADOOP-13119, and HADOOP-13119 does 
provide better security for authorized users than anonymous to access /log.  I 
can not agree on the revert on HADOOP-13119 at this time.


> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>
>                 Key: HADOOP-15222
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15222
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Priority: Major
>
> This Jira is responding to follow up work for HADOOP-14077.  The original 
> goal of HADOOP-14077 is to have ability to support multiple ACL lists.  When 
> checking for proxy user authorization in AuthenticationFilter to ensure there 
> is a way to authorize normal users and admin users using separate proxy users 
> ACL lists.  This was suggested in HADOOP-14060 to configure 
> AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both 
> credentials claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly 
> rejected with 403 FORBIDDEN message if there is no other web filter 
> configured to handle the required authorization work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine 
> StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a 
> AuthorizationFilterWithProxyUser as a final filter to evict unauthorized 
> user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false 
> positive in user authorization.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to