hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6510) doAs for proxy user
Date Fri, 05 Feb 2010 00:58:28 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12829895#action_12829895
] 

Kan Zhang commented on HADOOP-6510:
-----------------------------------

Patch looks good. One question. It seems when a connection is set up and the ugi associated
with the connection is of the form (B, A), where B is the effective user and A is the real
user, it could mean 2 things in terms of what happened. One is that client A authenticated
via Kerberos and wants to act as B. The other that is the client authenticated as B using
a token that obtained by A for B. Can you confirm currently we don't have a need to differentiate
these 2 cases? Also, can you please add a comment in the code saying we only allow doAs()
for Kerberos authenticated clients and that's why in your patch you skip authorization based
on real user if the authentication was done via DIGEST/token?

> doAs for proxy user
> -------------------
>
>                 Key: HADOOP-6510
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6510
>             Project: Hadoop Common
>          Issue Type: New Feature
>            Reporter: Jitendra Nath Pandey
>            Assignee: Jitendra Nath Pandey
>         Attachments: HADOOP-6510.10.patch, HADOOP-6510.11.patch, HADOOP-6510.12.patch,
HADOOP-6510.14.patch, HADOOP-6510.15.patch, HADOOP-6510.16.patch, HADOOP-6510.17.patch, HADOOP-6510.8.patch
>
>
> This jira will add support for a superuser authenticating on behalf of a proxy user.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message