[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13811801#comment-13811801
]
Devaraj Das commented on HBASE-9866:
------------------------------------
bq. Are we sure effectiveUser is always set even when SPENGO/security is not
enabled?
Yes. The constructor of RESTServlet initializes the realUser which is the
initial value of effectiveUser.
bq. Should we use parameter "doAs"?
I'll update this..
bq. Can we make sure there is no javadoc/findbugs warnings?
Yes. I'll look at this..
bq. Another thing is that we have two proxy users. One is the user
authenticated with SPENGO. The other is the real user. We switch the proxy user
in the middle. Is this a security concern?
We have proxy user authorization check before the switch is made.
{code}ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);{code}. The
proxy user authorization check will fail unless the user making the REST call
is authorized to perform the doAs on behalf of the configured group and he is
coming from a known IP address. No new security concern here ..
> Support the mode where REST server authorizes proxy users
> ---------------------------------------------------------
>
> Key: HBASE-9866
> URL: https://issues.apache.org/jira/browse/HBASE-9866
> Project: HBase
> Issue Type: Improvement
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Fix For: 0.96.1
>
> Attachments: 9866-1.txt
>
>
> In one use case, someone was trying to authorize with the REST server as a
> proxy user. That mode is not supported today.
> The curl request would be something like (assuming SPNEGO auth) -
> {noformat}
> curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
