Return-Path: 
 <common-issues-return-39643-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4B611D5D9
	for <apmail-hadoop-common-issues-archive@minotaur.apache.org>;
 Fri,  2 Nov 2012 19:17:14 +0000 (UTC)
Received: (qmail 93761 invoked by uid 500); 2 Nov 2012 19:17:13 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 93730 invoked by uid 500); 2 Nov 2012 19:17:13 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 93679 invoked by uid 99); 2 Nov 2012 19:17:13 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Nov 2012 19:17:13 +0000
Date: Fri, 2 Nov 2012 19:17:13 +0000 (UTC)
From: "Luke Lu (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <299408331.62425.1351883833491.JavaMail.jiratomcat@arcas>
In-Reply-To: <1162409437.7740.1341483034791.JavaMail.jiratomcat@issues-vm>
Subject: [jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
 secure impersonation in child hadoop client processes
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489674#comment-13489674 ] 

Luke Lu commented on HADOOP-8561:
---------------------------------

This approach has added benefit of working with clients (like HBase shell) not written in Java.

bq. Using an env makes me a bit squeamish since it may introduce an unexpected attack vector.

It won't do anything for ordinary users. An admin web app of course needs to do a few things sanitize the input to disallow fork/exec etc.
                
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8561
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8561
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Luke Lu
>            Assignee: Yu Gao
>         Attachments: hadoop-8561-branch-1.patch, hadoop-8561-branch-2.patch, hadoop-8561.patch
>
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira