[
https://issues.apache.org/jira/browse/HADOOP-10679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14056246#comment-14056246
]
Benoy Antony edited comment on HADOOP-10679 at 1/13/15 10:01 PM:
-----------------------------------------------------------------
Modified the ServiceAuthorization framework so that it can be used to authorize
access via HTTP in addition to RPC.
The _ServiceAuthorizationManager_ uses a Class object to identify the protocol
that the user is trying to access. This is renamed to _AuthorizationManager_.
This class is templatized. To authorize RPC access, the protocol class is
passed. To authorize access to urls, the requestURI can be passed.
A set of url patterns can be mapped to a specific authorization key.
{{security.authorization.http.KEY.paths}} can contain the the URL patterns and
the corresponding ACL can be specified via
{{security.authorization.http.KEY.acl}}. KEY is variable. It is possible to
define multiple authorization policies by providing different KEYs. For URIs
with no specific authorization declaration, the default ACL (shared with the
RPC service authorization) is applied.
_AuthorizationFilter_ is defined which uses the AuthorizationFramework to
authorize access to the URIs. _AuthorizationFilter_ also supports refreshing
the authorization policies. The _AuthorizationFilter_ can be plugged in by
including _AuthorizationFilterInitializer_ via configuration property
{{hadoop.http.filter.initializers}}.
The documentation is updated. The test cases are also added.
This patch include HADOOP-10650, HADOOP-10651 and HADOOP-10654.
was (Author: benoyantony):
Modified the ServiceAuthorization framework so that it can be used to authorize
access via HTTP in addition to RPC.
The _ServiceAuthorizationManager_ uses a Class object to identify the protocol
that the user is trying to access. This is renamed to _AuthorizationManager_.
This class is templatized. To authorize RPC access, the protocol class is
passed. To authorize access to urls, the requestURI can be passed.
A set of url patterns can be mapped to a specific authorization key.
{{security.authorization.http.KEY.paths}} can contain the the URL patterns and
the corresponding ACL can be specified via
{{security.authorization.http.KEY.acl}}. It is possible to define multiple
authorization policies by providing different KEYs. For URIs with no specific
authorization declaration, the default ACL (shared with the RPC service
authorization) is applied.
_AuthorizationFilter_ is defined which uses the AuthorizationFramework to
authorize access to the URIs. _AuthorizationFilter_ also supports refreshing
the authorization policies. The _AuthorizationFilter_ can be plugged in by
including _AuthorizationFilterInitializer_ via configuration property
{{hadoop.http.filter.initializers}}.
The documentation is updated. The test cases are also added.
This patch include HADOOP-10650, HADOOP-10651 and HADOOP-10654.
> Authorize webui access using ServiceAuthorizationManager
> --------------------------------------------------------
>
> Key: HADOOP-10679
> URL: https://issues.apache.org/jira/browse/HADOOP-10679
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Attachments: HADOOP-10679.patch
>
>
> Currently accessing Hadoop via RPC can be authorized using
> _ServiceAuthorizationManager_. But there is no uniform authorization of the
> HTTP access. Some of the servlets check for admin privilege.
> This creates an inconsistency of authorization between access via RPC vs
> HTTP.
> The fix is to enable authorization of the webui access also using
> _ServiceAuthorizationManager_.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
