hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ranadip (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-11478) HttpFSServer does not properly impersonate a real user when executing "open" operation in a kerberised environment
Date Wed, 14 Jan 2015 20:09:34 GMT
Ranadip created HADOOP-11478:
--------------------------------

             Summary: HttpFSServer does not properly impersonate a real user when executing
"open" operation in a kerberised environment
                 Key: HADOOP-11478
                 URL: https://issues.apache.org/jira/browse/HADOOP-11478
             Project: Hadoop Common
          Issue Type: Bug
    Affects Versions: 2.6.0
         Environment: CentOS
            Reporter: Ranadip
            Priority: Blocker


Setup:
- Kerberos enabled in the cluster, including Hue SSO
- Encryption enabled using KMS. Encryption key and encryption zone created. KMS key level
ACL created to allow only real user to have all access to the key and no one else.
Manifestation:
Using Hue, real user logged in using Kerberos credentials. For direct access, user does kinit
and then uses curl calls.
New file creation inside encryption zone goes ahead fine as expected. 
But attempts to view the contents of the file fails with exception:
"User [httpfs] is not authorized to perform [DECRYPT_EEK] on key with ACL name [mykeyname]!!"

Perhaps, this is linked to bug #HDFS-6849. In the file HttpFSServer.java, the OPEN handler
calls command.execute(fs) directly (and this fails). In CREATE, that call is wrapped within
fsExecute(user, command). Apparently, this seems to cause the problem.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message