hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6510) doAs for proxy user
Date Sat, 30 Jan 2010 20:47:36 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806737#action_12806737

Owen O'Malley commented on HADOOP-6510:

The authorization for proxy users needs to be factored out into a new class hadoop.security.authorize.ProxyUsers
that looks like:

public class ProxyUsers {
  public ProxyUsers(Configuration conf) { ... }
  public void authorize(UserGroupInformation user, String remoteAddress) throws AccessControlException
{ ... }

The configuration must be done on a per-user basis:

hadoop.proxyuser.bob.users = bobusers
hadoop.proxyuser.bob,ip-addresses = host1, host2

hadoop.proxyuser.owen.users = doug,sue,mygroup
hadoop.proxyuser.owen.ip-addresses = host3

so bob could impersonate and user in bobusers and owen could impersonate doug, sue, or users
in mygroup.

The ip-addresses can be hostnames.

TokenIdentifier shouldn't have getRealUserName only DelegationTokenIdentifier.

Your lines go much too long, please limit them to 80 chars.

You need to factor out the code to create a UGI from the connection.

> doAs for proxy user
> -------------------
>                 Key: HADOOP-6510
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6510
>             Project: Hadoop Common
>          Issue Type: New Feature
>            Reporter: Jitendra Nath Pandey
>            Assignee: Jitendra Nath Pandey
>         Attachments: HADOOP-6510.8.patch
> This jira will add support for a superuser authenticating on behalf of a proxy user.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message