hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-16095) Support impersonation for AuthenticationFilter
Date Wed, 06 Feb 2019 18:55:00 GMT
Eric Yang created HADOOP-16095:

             Summary: Support impersonation for AuthenticationFilter
                 Key: HADOOP-16095
                 URL: https://issues.apache.org/jira/browse/HADOOP-16095
             Project: Hadoop Common
          Issue Type: New Feature
          Components: security
            Reporter: Eric Yang
            Assignee: Eric Yang

External services or YARN service may need to call into WebHDFS or YARN REST API on behave
of the user using web protocols.  It would be good to support impersonation mechanism in AuthenticationFilter
or similar extensions.  The general design is similar to UserGroupInformation.doAs in RPC

The calling service credential is verified as a proxy user coming from a trusted host using
Hadoop proxy user ACL.  If proxy user ACL allows proxy user to become doAs user.  HttpRequest
object will report REMOTE_USER as doAs user.  This feature enables web application logic to
be written with minimal changes to call Hadoop API with UserGroupInformation wrapper.

h2. Http Request

A few possible options:

1. Using query parameter to pass doAs user:
POST /service?doAs=foobar
Authorization: [proxy user Kerberos token]

2. Use HTTP Header to pass doAs user:
POST /service
Authorization: [proxy user Kerberos token]
x-hadoop-doas: foobar

h2. Response
403 - Forbidden (Including impersonation is not allowed)

h2. Proxy User ACL requirement

Proxy user kerberos token maps to a service principal, such as yarn/host1.example.com.  The
host part of the credential and HTTP request origin are both validated with *hadoop.proxyuser.yarn.hosts*
ACL.  doAs user group membership or identity is checked with either *hadoop.proxyuser.yarn.groups*
or *hadoop.proxyuser.yarn.users*.  This governs the caller is coming from authorized host
and belong to authorized group.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org

View raw message