[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13811801#comment-13811801 ]
Devaraj Das commented on HBASE-9866: ------------------------------------ bq. Are we sure effectiveUser is always set even when SPENGO/security is not enabled? Yes. The constructor of RESTServlet initializes the realUser which is the initial value of effectiveUser. bq. Should we use parameter "doAs"? I'll update this.. bq. Can we make sure there is no javadoc/findbugs warnings? Yes. I'll look at this.. bq. Another thing is that we have two proxy users. One is the user authenticated with SPENGO. The other is the real user. We switch the proxy user in the middle. Is this a security concern? We have proxy user authorization check before the switch is made. {code}ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);{code}. The proxy user authorization check will fail unless the user making the REST call is authorized to perform the doAs on behalf of the configured group and he is coming from a known IP address. No new security concern here .. > Support the mode where REST server authorizes proxy users > --------------------------------------------------------- > > Key: HBASE-9866 > URL: https://issues.apache.org/jira/browse/HBASE-9866 > Project: HBase > Issue Type: Improvement > Reporter: Devaraj Das > Assignee: Devaraj Das > Fix For: 0.96.1 > > Attachments: 9866-1.txt > > > In one use case, someone was trying to authorize with the REST server as a > proxy user. That mode is not supported today. > The curl request would be something like (assuming SPNEGO auth) - > {noformat} > curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER> > {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)