hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Devaraj Das (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6510) doAs for proxy user
Date Sun, 07 Feb 2010 09:40:28 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12830687#action_12830687
] 

Devaraj Das commented on HADOOP-6510:
-------------------------------------

Ouch i think i have overlooked the way in which you handle the proxy users configuration (ProxyUsers.java).
The authorization should be based on the real user. You currently have it based on the effective
user. The method getProxySuperuserGroupConfKey should take the realUser. The authorize method
should check if the effective user belongs to a group that the real user is authorized to
act on behalf of, and fail the authorization if not. Also, the authorize method should fail
the authorization if the configured value for the hadoop.proxyuser.<realuser>.users,
for a given <realuser> is empty. 

> doAs for proxy user
> -------------------
>
>                 Key: HADOOP-6510
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6510
>             Project: Hadoop Common
>          Issue Type: New Feature
>            Reporter: Jitendra Nath Pandey
>            Assignee: Jitendra Nath Pandey
>         Attachments: HADOOP-6510.10.patch, HADOOP-6510.11.patch, HADOOP-6510.12.patch,
HADOOP-6510.14.patch, HADOOP-6510.15.patch, HADOOP-6510.16.patch, HADOOP-6510.17.patch, HADOOP-6510.18.patch,
HADOOP-6510.19.patch, HADOOP-6510.20.patch, HADOOP-6510.21.patch, HADOOP-6510.23.patch, HADOOP-6510.8.patch
>
>
> This jira will add support for a superuser authenticating on behalf of a proxy user.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message