[ https://issues.apache.org/jira/browse/HADOOP-16287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832601#comment-16832601 ]
Eric Yang commented on HADOOP-16287: ------------------------------------ [~daryn] {quote}-1 on returning a new auth cookie as the impersonated user. It's insanely dangerous and will create bugs and/or security holes. The auth cookie must be the authenticated user. Let's explore the unintended side effects.{quote} If the auth cookie is forwarded from proxy to end user, then end user got token for proxy user (authenticated user). That does not sound right. It's either no auth cookie returned, or the cookie is token for end user credential. This prevents accidental leaks of impersonation power. The three points listed are implementation mistake that can happen, if proxyuser or server code is not written properly. Knox does shield hadoop.auth cookie from leaking. The handling of hadoop.auth cookie between Hadoop and Knox should be private conversation. If the operation between servers are multi-calls, the cached token can reduce hitting KDC server for each call. > KerberosAuthenticationHandler Trusted Proxy Support for Knox > ------------------------------------------------------------ > > Key: HADOOP-16287 > URL: https://issues.apache.org/jira/browse/HADOOP-16287 > Project: Hadoop Common > Issue Type: New Feature > Components: auth > Affects Versions: 3.2.0 > Reporter: Prabhu Joseph > Assignee: Prabhu Joseph > Priority: Major > Attachments: HADOOP-16287-001.patch > > > Knox passes doAs with end user while accessing RM, WebHdfs Rest Api. > Currently KerberosAuthenticationHandler sets the remote user to Knox. Need > Trusted Proxy Support by reading doAs query parameter. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org