[ https://issues.apache.org/jira/browse/YARN-7923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361554#comment-16361554 ]
Eric Yang edited comment on YARN-7923 at 2/12/18 10:44 PM: ----------------------------------------------------------- Sorry, filed with wrong project. was (Author: eyang): Sorry, failed with wrong project. > Refine proxy user authorization to support multiple ACL list > ------------------------------------------------------------ > > Key: YARN-7923 > URL: https://issues.apache.org/jira/browse/YARN-7923 > Project: Hadoop YARN > Issue Type: Bug > Components: security > Affects Versions: 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > > This Jira is responding to follow up work for HADOOP-14077. The original > goal of HADOOP-14077 is to have ability to support multiple ACL lists. When > checking for proxy user authorization in AuthenticationFilter to ensure there > is a way to authorize normal users and admin users using separate proxy users > ACL lists. This was suggested in > [HADOOP-14060|https://issues.apache.org/jira/browse/HADOOP-14060?focusedCommentId=15875737&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-15875737] > to configure AuthenticationFilterWithProxyUser this way: > AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser > This enables the second AuthenticationFilterWithProxyUser validates both > credentials claim by proxy user, and end user. > However, there is a side effect that unauthorized users are not properly > rejected with 403 FORBIDDEN message if there is no other web filter > configured to handle the required authorization work. > This JIRA is intend to discuss the work of HADOOP-14077 by either combine > StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a > AuthorizationFilterWithProxyUser as a final filter to evict unauthorized > user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false > positive in user authorization. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org