Return-Path: X-Original-To: apmail-hadoop-common-commits-archive@www.apache.org Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D8D7817CC8 for ; Mon, 26 Jan 2015 17:44:30 +0000 (UTC) Received: (qmail 27125 invoked by uid 500); 26 Jan 2015 17:44:18 -0000 Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org Received: (qmail 26794 invoked by uid 500); 26 Jan 2015 17:44:18 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 25371 invoked by uid 99); 26 Jan 2015 17:44:17 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jan 2015 17:44:17 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id AFCBAE0F37; Mon, 26 Jan 2015 17:44:16 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: zhz@apache.org To: common-commits@hadoop.apache.org Date: Mon, 26 Jan 2015 17:44:44 -0000 Message-Id: In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [29/50] [abbrv] hadoop git commit: HADOOP-11008. Remove duplicated description about proxy-user in site documents (Masatake Iwasaki via aw) HADOOP-11008. Remove duplicated description about proxy-user in site documents (Masatake Iwasaki via aw) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/c13d501f Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/c13d501f Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/c13d501f Branch: refs/heads/HDFS-EC Commit: c13d501f51bc26368ef04631c2aadc2365a05c26 Parents: abb0115 Author: Allen Wittenauer Authored: Thu Jan 22 14:30:21 2015 -0800 Committer: Zhe Zhang Committed: Mon Jan 26 09:43:28 2015 -0800 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 + .../src/site/apt/SecureMode.apt.vm | 53 +------------- .../src/site/apt/Superusers.apt.vm | 74 ++++++++++++++++---- hadoop-project/src/site/site.xml | 2 +- 4 files changed, 64 insertions(+), 68 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index aaa7041..47eaf7b 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -747,6 +747,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11500. InputStream is left unclosed in ApplicationClassLoader. (Ted Yu via ozawa) + HADOOP-11008. Remove duplicated description about proxy-user in site + documents (Masatake Iwasaki via aw) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm index 0a11bef..0235219 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm @@ -202,58 +202,7 @@ KVNO Timestamp Principal Some products such as Apache Oozie which access the services of Hadoop on behalf of end users need to be able to impersonate end users. - You can configure proxy user using properties - <<>> along with either or both of - <<>> - and <<>>. - - For example, by specifying as below in core-site.xml, - user named <<>> accessing from any host - can impersonate any user belonging to any group. - ----- - - hadoop.proxyuser.oozie.hosts - * - - - hadoop.proxyuser.oozie.groups - * - ----- - - User named <<>> accessing from any host - can impersonate user1 and user2 by specifying as below in core-site.xml. - ----- - - hadoop.proxyuser.oozie.hosts - * - - - hadoop.proxyuser.oozie.users - user1,user2 - ----- - - The <<>> accepts list of ip addresses, - ip address ranges in CIDR format and/or host names. - - For example, by specifying as below in core-site.xml, - user named <<>> accessing from hosts in the range - 10.222.0.0-15 and 10.113.221.221 - can impersonate any user belonging to any group. - ----- - - hadoop.proxyuser.oozie.hosts - 10.222.0.0/16,10.113.221.221 - - - hadoop.proxyuser.oozie.groups - * - ----- + See {{{./Superusers.html}the doc of proxy user}} for details. ** Secure DataNode http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm index f940884..78ed9a4 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm @@ -11,19 +11,19 @@ ~~ limitations under the License. See accompanying LICENSE file. --- - Superusers Acting On Behalf Of Other Users + Proxy user - Superusers Acting On Behalf Of Other Users --- --- ${maven.build.timestamp} -Superusers Acting On Behalf Of Other Users +Proxy user - Superusers Acting On Behalf Of Other Users %{toc|section=1|fromDepth=0} * Introduction This document describes how a superuser can submit jobs or access hdfs - on behalf of another user in a secured way. + on behalf of another user. * Use Case @@ -38,9 +38,12 @@ Superusers Acting On Behalf Of Other Users on a connection authenticated with super's kerberos credentials. In other words super is impersonating the user joe. + Some products such as Apache Oozie need this. + + * Code example - In this example super's kerberos credentials are used for login and a + In this example super's credentials are used for login and a proxy user ugi object is created for joe. The operations are performed within the doAs method of this proxy user ugi object. @@ -63,21 +66,26 @@ Superusers Acting On Behalf Of Other Users * Configurations - The superuser must be configured on namenode and jobtracker to be - allowed to impersonate another user. Following configurations are - required. + You can configure proxy user using properties + <<>> along with either or both of + <<>> + and <<>>. + + By specifying as below in core-site.xml, + the superuser named <<>> can connect + only from <<>> and <<>> + to impersonate a user belonging to <<>> and <<>>. ---- - hadoop.proxyuser.super.groups - group1,group2 - Allow the superuser super to impersonate any members of the group group1 and group2 - - hadoop.proxyuser.super.hosts host1,host2 - The superuser can connect only from host1 and host2 to impersonate a user + + hadoop.proxyuser.super.groups + group1,group2 + + ---- If these configurations are not present, impersonation will not be @@ -85,11 +93,47 @@ Superusers Acting On Behalf Of Other Users If more lax security is preferred, the wildcard value * may be used to allow impersonation from any host or of any user. + For example, by specifying as below in core-site.xml, + user named <<>> accessing from any host + can impersonate any user belonging to any group. + +---- + + hadoop.proxyuser.oozie.hosts + * + + + hadoop.proxyuser.oozie.groups + * + +---- + + The <<>> accepts list of ip addresses, + ip address ranges in CIDR format and/or host names. + For example, by specifying as below, + user named <<>> accessing from hosts in the range + <<<10.222.0.0-15>>> and <<<10.113.221.221>>> can impersonate + <<>> and <<>>. + +---- + + hadoop.proxyuser.super.hosts + 10.222.0.0/16,10.113.221.221 + + + hadoop.proxyuser.super.users + user1,user2 + +---- + * Caveats - The superuser must have kerberos credentials to be able to impersonate - another user. It cannot use delegation tokens for this feature. It + If the cluster is running in {{{./SecureMode.html}Secure Mode}}, + the superuser must have kerberos credentials to be able to impersonate + another user. + + It cannot use delegation tokens for this feature. It would be wrong if superuser adds its own delegation token to the proxy user ugi, as it will allow the proxy user to connect to the service with the privileges of the superuser. http://git-wip-us.apache.org/repos/asf/hadoop/blob/c13d501f/hadoop-project/src/site/site.xml ---------------------------------------------------------------------- diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml index 637f7eb..6fa6648 100644 --- a/hadoop-project/src/site/site.xml +++ b/hadoop-project/src/site/site.xml @@ -60,7 +60,7 @@ - +