[
https://issues.apache.org/jira/browse/MAPREDUCE-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13126710#comment-13126710
]
Alejandro Abdelnur commented on MAPREDUCE-2858:
-----------------------------------------------
My be I'm not getting enough hours of sleep lately but I'm not able to get a
full understanding of how the proxy works. Would be possible to have a sequence
diagram showing the steps and data that flow for a request? Asking because the
proxy seems to be talking with the RM, seems to be rewriting data (URLs), etc,
etc. That is not simple stuff.
On a complete different twist if the concern is about an AM seeing the
'company-wide' cookies from a user because of the single sign on; wouldn't be
simpler that the AM container provides an API to register filters&servlets and
filters out all cookies before giving control to the AM filter/servlet? And, to
avoid the AM code to open an arbitrary port to listen to non-curated HTTP
requests, the AM container would run with a security manager that prevents
opening new sockets. Recapping:
* The AM container initializes an AM HTTP server.
* The AM HTTP server is preinitialized with any 'company' specific
authentication filter.
* The AM runs in a SecurityManager that forbids AM code to open ports.
* The AM code can register servlets and filters to this AM HTTP server.
* The AM code starts the AM HTTP server server once all servlets & filters are
register.
* The AM HTTP server filters out all cookies, thus the AM code does not see
them.
IMO this addresses the original issues without having to do introduce
Application Proxies with complex logic.
Thoughts?
> MRv2 WebApp Security
> --------------------
>
> Key: MAPREDUCE-2858
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: applicationmaster, mrv2, security
> Affects Versions: 0.23.0
> Reporter: Luke Lu
> Assignee: Luke Lu
> Priority: Blocker
> Fix For: 0.23.0
>
>
> In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and
> NameNode (NN)) run as "trusted"
> system users, the application masters (AM) run as users who submit the
> application. While this offers great flexibility
> to run multiple version of mapreduce frameworks (including their UI) on the
> same Hadoop cluster, it has significant
> implication for the security of webapps (Please do not discuss company
> specific vulnerabilities here).
> Requirements:
> # Secure authentication for AM (for app/job level ACLs).
> # Webapp security should be optional via site configuration.
> # Support existing pluggable single sign on mechanisms.
> # Should not require per app/user configuration for deployment.
> # Should not require special site-wide DNS configuration for deployment.
> This the top jira for webapp security. A design doc/notes of threat-modeling
> and counter measures will be posted on the wiki.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
