[
https://issues.apache.org/jira/browse/HADOOP-16287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16834908#comment-16834908
]
Eric Yang commented on HADOOP-16287:
------------------------------------
[~Prabhu Joseph] thank you for the patch. Patch 003 has two problems. It adds
request attribute for doAsUser. If downstream logic does not look at request
attribute for doAsUser, the request has the full privileges of authenticated
user. If down stream logic set another request attribute doAsUser, the request
can switch to any user. This is not secure. Second problem, in catching
AuthorizationException, it does not return immediately after produce a response
for FORBIDDEN. The request will continue to process the filter chain. This
will leak more data to caller, if the caller continue to listen for packets
after getting FORBIDDEN message without disconnect.
> KerberosAuthenticationHandler Trusted Proxy Support for Knox
> ------------------------------------------------------------
>
> Key: HADOOP-16287
> URL: https://issues.apache.org/jira/browse/HADOOP-16287
> Project: Hadoop Common
> Issue Type: New Feature
> Components: auth
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16287-001.patch, HADOOP-16287-002.patch,
> HADOOP-16827-003.patch
>
>
> Knox passes doAs with end user while accessing RM, WebHdfs Rest Api.
> Currently KerberosAuthenticationHandler sets the remote user to Knox. Need
> Trusted Proxy Support by reading doAs query parameter.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
