hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From z..@apache.org
Subject [29/50] [abbrv] hadoop git commit: HADOOP-11008. Remove duplicated description about proxy-user in site documents (Masatake Iwasaki via aw)
Date Mon, 26 Jan 2015 17:44:44 GMT
HADOOP-11008. Remove duplicated description about proxy-user in site documents (Masatake Iwasaki
via aw)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/c13d501f
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/c13d501f
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/c13d501f

Branch: refs/heads/HDFS-EC
Commit: c13d501f51bc26368ef04631c2aadc2365a05c26
Parents: abb0115
Author: Allen Wittenauer <aw@apache.org>
Authored: Thu Jan 22 14:30:21 2015 -0800
Committer: Zhe Zhang <zhz@apache.org>
Committed: Mon Jan 26 09:43:28 2015 -0800

----------------------------------------------------------------------
 hadoop-common-project/hadoop-common/CHANGES.txt |  3 +
 .../src/site/apt/SecureMode.apt.vm              | 53 +-------------
 .../src/site/apt/Superusers.apt.vm              | 74 ++++++++++++++++----
 hadoop-project/src/site/site.xml                |  2 +-
 4 files changed, 64 insertions(+), 68 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index aaa7041..47eaf7b 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -747,6 +747,9 @@ Release 2.7.0 - UNRELEASED
     HADOOP-11500. InputStream is left unclosed in ApplicationClassLoader.
     (Ted Yu via ozawa)
 
+    HADOOP-11008. Remove duplicated description about proxy-user in site 
+    documents (Masatake Iwasaki via aw)
+
 Release 2.6.0 - 2014-11-18
 
   INCOMPATIBLE CHANGES

http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm
index 0a11bef..0235219 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm
@@ -202,58 +202,7 @@ KVNO Timestamp         Principal
 
   Some products such as Apache Oozie which access the services of Hadoop
   on behalf of end users need to be able to impersonate end users.
-  You can configure proxy user using properties
-  <<<hadoop.proxyuser.${superuser}.hosts>>> along with either or both of

-  <<<hadoop.proxyuser.${superuser}.groups>>>
-  and <<<hadoop.proxyuser.${superuser}.users>>>.
-
-  For example, by specifying as below in core-site.xml,
-  user named <<<oozie>>> accessing from any host
-  can impersonate any user belonging to any group.
-
-----
-  <property>
-    <name>hadoop.proxyuser.oozie.hosts</name>
-    <value>*</value>
-  </property>
-  <property>
-    <name>hadoop.proxyuser.oozie.groups</name>
-    <value>*</value>
-  </property>
-----
-
-  User named <<<oozie>>> accessing from any host
-  can impersonate user1 and user2 by specifying as below in core-site.xml.
-
-----
-  <property>
-    <name>hadoop.proxyuser.oozie.hosts</name>
-    <value>*</value>
-  </property>
-  <property>
-    <name>hadoop.proxyuser.oozie.users</name>
-    <value>user1,user2</value>
-  </property>
-----
-
-  The <<<hadoop.proxyuser.${superuser}.hosts>>> accepts list of ip addresses,
-  ip address ranges in CIDR format and/or host names.
-  
-  For example, by specifying as below in core-site.xml,
-  user named <<<oozie>>> accessing from hosts in the range 
-  10.222.0.0-15 and 10.113.221.221
-  can impersonate any user belonging to any group.
-  
-----
-  <property>
-    <name>hadoop.proxyuser.oozie.hosts</name>
-    <value>10.222.0.0/16,10.113.221.221</value>
-  </property>
-  <property>
-    <name>hadoop.proxyuser.oozie.groups</name>
-    <value>*</value>
-  </property>
-----
+  See {{{./Superusers.html}the doc of proxy user}} for details.
 
 ** Secure DataNode
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm
index f940884..78ed9a4 100644
--- a/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm
+++ b/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm
@@ -11,19 +11,19 @@
 ~~ limitations under the License. See accompanying LICENSE file.
 
   ---
-  Superusers Acting On Behalf Of Other Users
+  Proxy user - Superusers Acting On Behalf Of Other Users
   ---
   ---
   ${maven.build.timestamp}
 
-Superusers Acting On Behalf Of Other Users
+Proxy user - Superusers Acting On Behalf Of Other Users
 
 %{toc|section=1|fromDepth=0}
 
 * Introduction
 
    This document describes how a superuser can submit jobs or access hdfs
-   on behalf of another user in a secured way.
+   on behalf of another user.
 
 * Use Case
 
@@ -38,9 +38,12 @@ Superusers Acting On Behalf Of Other Users
    on a connection authenticated with super's kerberos credentials. In
    other words super is impersonating the user joe.
 
+   Some products such as Apache Oozie need this.
+
+
 * Code example
 
-   In this example super's kerberos credentials are used for login and a
+   In this example super's credentials are used for login and a
    proxy user ugi object is created for joe. The operations are performed
    within the doAs method of this proxy user ugi object.
 
@@ -63,21 +66,26 @@ Superusers Acting On Behalf Of Other Users
 
 * Configurations
 
-   The superuser must be configured on namenode and jobtracker to be
-   allowed to impersonate another user. Following configurations are
-   required.
+   You can configure proxy user using properties
+   <<<hadoop.proxyuser.${superuser}.hosts>>> along with either or both
of 
+   <<<hadoop.proxyuser.${superuser}.groups>>>
+   and <<<hadoop.proxyuser.${superuser}.users>>>.
+
+   By specifying as below in core-site.xml,
+   the superuser named <<<super>>> can connect
+   only from <<<host1>>> and <<<host2>>>
+   to impersonate a user belonging to <<<group1>>> and <<<group2>>>.
 
 ----
    <property>
-     <name>hadoop.proxyuser.super.groups</name>
-     <value>group1,group2</value>
-     <description>Allow the superuser super to impersonate any members of the group
group1 and group2</description>
-   </property>
-   <property>
      <name>hadoop.proxyuser.super.hosts</name>
      <value>host1,host2</value>
-     <description>The superuser can connect only from host1 and host2 to impersonate
a user</description>
    </property>
+   <property>
+     <name>hadoop.proxyuser.super.groups</name>
+     <value>group1,group2</value>
+   </property>
+
 ----
 
    If these configurations are not present, impersonation will not be
@@ -85,11 +93,47 @@ Superusers Acting On Behalf Of Other Users
 
    If more lax security is preferred, the wildcard value * may be used to
    allow impersonation from any host or of any user.
+   For example, by specifying as below in core-site.xml,
+   user named <<<oozie>>> accessing from any host
+   can impersonate any user belonging to any group.
+
+----
+  <property>
+    <name>hadoop.proxyuser.oozie.hosts</name>
+    <value>*</value>
+  </property>
+  <property>
+    <name>hadoop.proxyuser.oozie.groups</name>
+    <value>*</value>
+  </property>
+----
+
+   The <<<hadoop.proxyuser.${superuser}.hosts>>> accepts list of ip addresses,
+   ip address ranges in CIDR format and/or host names.
+   For example, by specifying as below,
+   user named <<<super>>> accessing from hosts in the range 
+   <<<10.222.0.0-15>>> and <<<10.113.221.221>>> can impersonate
+   <<<user1>>> and <<<user2>>>.
+      
+----
+   <property>
+     <name>hadoop.proxyuser.super.hosts</name>
+     <value>10.222.0.0/16,10.113.221.221</value>
+   </property>
+   <property>
+     <name>hadoop.proxyuser.super.users</name>
+     <value>user1,user2</value>
+   </property>
+----
+
 
 * Caveats
 
-   The superuser must have kerberos credentials to be able to impersonate
-   another user. It cannot use delegation tokens for this feature. It
+   If the cluster is running in {{{./SecureMode.html}Secure Mode}},
+   the superuser must have kerberos credentials to be able to impersonate
+   another user.
+
+   It cannot use delegation tokens for this feature. It
    would be wrong if superuser adds its own delegation token to the proxy
    user ugi, as it will allow the proxy user to connect to the service
    with the privileges of the superuser.

http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-project/src/site/site.xml
----------------------------------------------------------------------
diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml
index 637f7eb..6fa6648 100644
--- a/hadoop-project/src/site/site.xml
+++ b/hadoop-project/src/site/site.xml
@@ -60,7 +60,7 @@
     <menu name="Common" inherit="top">
       <item name="CLI Mini Cluster" href="hadoop-project-dist/hadoop-common/CLIMiniCluster.html"/>
       <item name="Native Libraries" href="hadoop-project-dist/hadoop-common/NativeLibraries.html"/>
-      <item name="Superusers" href="hadoop-project-dist/hadoop-common/Superusers.html"/>
+      <item name="Proxy User" href="hadoop-project-dist/hadoop-common/Superusers.html"/>
       <item name="Secure Mode" href="hadoop-project-dist/hadoop-common/SecureMode.html"/>
       <item name="Service Level Authorization" href="hadoop-project-dist/hadoop-common/ServiceLevelAuth.html"/>
       <item name="HTTP Authentication" href="hadoop-project-dist/hadoop-common/HttpAuthentication.html"/>


Mime
View raw message