[ https://issues.apache.org/jira/browse/HADOOP-16287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16834908#comment-16834908 ]
Eric Yang commented on HADOOP-16287: ------------------------------------ [~Prabhu Joseph] thank you for the patch. Patch 003 has two problems. It adds request attribute for doAsUser. If downstream logic does not look at request attribute for doAsUser, the request has the full privileges of authenticated user. If down stream logic set another request attribute doAsUser, the request can switch to any user. This is not secure. Second problem, in catching AuthorizationException, it does not return immediately after produce a response for FORBIDDEN. The request will continue to process the filter chain. This will leak more data to caller, if the caller continue to listen for packets after getting FORBIDDEN message without disconnect. > KerberosAuthenticationHandler Trusted Proxy Support for Knox > ------------------------------------------------------------ > > Key: HADOOP-16287 > URL: https://issues.apache.org/jira/browse/HADOOP-16287 > Project: Hadoop Common > Issue Type: New Feature > Components: auth > Affects Versions: 3.2.0 > Reporter: Prabhu Joseph > Assignee: Prabhu Joseph > Priority: Major > Attachments: HADOOP-16287-001.patch, HADOOP-16287-002.patch, > HADOOP-16827-003.patch > > > Knox passes doAs with end user while accessing RM, WebHdfs Rest Api. > Currently KerberosAuthenticationHandler sets the remote user to Knox. Need > Trusted Proxy Support by reading doAs query parameter. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org