hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "zhiyong zhang (JIRA)" <j...@apache.org>
Subject [jira] Updated: (HADOOP-5851) proxy to call LDAP for IP lookup and get user ID and directories, validate requested URL
Date Mon, 08 Jun 2009 18:52:07 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

zhiyong zhang updated HADOOP-5851:
----------------------------------

    Attachment: HADOOP-5851.patch

1.)  As suggested by Kan, trust all server certs should not be the default setting.

Add 
<property>
  <name>ssl.client.do.not.authenticate.server</name>
  <value>false</value>
  <description> if true, trust all server certificates
  </description>
</property>
 in ssl-client.xml configuration. By default, still need to validate server certificates.

2.) Did a code walk-through with Rob. W.  Also discussed with Kan, the should get the group
information from LDAP server instead of using proxyUgiManager. changed this part so that proxy
will pass HDFS userId and group info to source cluster.

3.) Merged all configuration files into one configuration file (hdfsproxy-default.xml), this
saves some effort to manage the configuration files and war files.
The configuration in hdfsproxy-default.xml should contain
   <name>fs.default.name</name>
   <name>dfs.block.size</name>
   <name>io.file.buffer.size</name>
in addition to ldap-based properties.





> proxy to call LDAP for IP lookup and get user ID and directories, validate requested
URL
> ----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-5851
>                 URL: https://issues.apache.org/jira/browse/HADOOP-5851
>             Project: Hadoop Core
>          Issue Type: New Feature
>          Components: contrib/hdfsproxy
>            Reporter: zhiyong zhang
>            Assignee: zhiyong zhang
>            Priority: Critical
>         Attachments: HADOOP-5851.patch, HADOOP-5851.patch, HADOOP-5851.patch, HADOOP-5851.patch
>
>
> It is easy to manage user accounts using LDAP. by adding support for LDAP, proxy can
do IP authorization in a headless fashion. 
> when a user send a request, proxy extract IP address and request PathInfo from the request.
then it searches the LDAP server to get the allowed HDFS root paths given the IP address.
Proxy will match the user request PathInfo with the allowed HDFS root path, return 403 if
it could not find a match. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message