Return-Path: Delivered-To: apmail-hadoop-core-dev-archive@www.apache.org Received: (qmail 67030 invoked from network); 8 Jun 2009 18:52:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 8 Jun 2009 18:52:27 -0000 Received: (qmail 47263 invoked by uid 500); 8 Jun 2009 18:52:38 -0000 Delivered-To: apmail-hadoop-core-dev-archive@hadoop.apache.org Received: (qmail 47212 invoked by uid 500); 8 Jun 2009 18:52:38 -0000 Mailing-List: contact core-dev-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: core-dev@hadoop.apache.org Delivered-To: mailing list core-dev@hadoop.apache.org Received: (qmail 47202 invoked by uid 99); 8 Jun 2009 18:52:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jun 2009 18:52:38 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jun 2009 18:52:28 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id BFE69234C1EA for ; Mon, 8 Jun 2009 11:52:07 -0700 (PDT) Message-ID: <669705130.1244487127785.JavaMail.jira@brutus> Date: Mon, 8 Jun 2009 11:52:07 -0700 (PDT) From: "zhiyong zhang (JIRA)" To: core-dev@hadoop.apache.org Subject: [jira] Updated: (HADOOP-5851) proxy to call LDAP for IP lookup and get user ID and directories, validate requested URL In-Reply-To: <225030090.1242413625607.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/HADOOP-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhiyong zhang updated HADOOP-5851: ---------------------------------- Attachment: HADOOP-5851.patch 1.) As suggested by Kan, trust all server certs should not be the default setting. Add ssl.client.do.not.authenticate.server false if true, trust all server certificates in ssl-client.xml configuration. By default, still need to validate server certificates. 2.) Did a code walk-through with Rob. W. Also discussed with Kan, the should get the group information from LDAP server instead of using proxyUgiManager. changed this part so that proxy will pass HDFS userId and group info to source cluster. 3.) Merged all configuration files into one configuration file (hdfsproxy-default.xml), this saves some effort to manage the configuration files and war files. The configuration in hdfsproxy-default.xml should contain fs.default.name dfs.block.size io.file.buffer.size in addition to ldap-based properties. > proxy to call LDAP for IP lookup and get user ID and directories, validate requested URL > ---------------------------------------------------------------------------------------- > > Key: HADOOP-5851 > URL: https://issues.apache.org/jira/browse/HADOOP-5851 > Project: Hadoop Core > Issue Type: New Feature > Components: contrib/hdfsproxy > Reporter: zhiyong zhang > Assignee: zhiyong zhang > Priority: Critical > Attachments: HADOOP-5851.patch, HADOOP-5851.patch, HADOOP-5851.patch, HADOOP-5851.patch > > > It is easy to manage user accounts using LDAP. by adding support for LDAP, proxy can do IP authorization in a headless fashion. > when a user send a request, proxy extract IP address and request PathInfo from the request. then it searches the LDAP server to get the allowed HDFS root paths given the IP address. Proxy will match the user request PathInfo with the allowed HDFS root path, return 403 if it could not find a match. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.