hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoy Antony (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10448) Support pluggable mechanism to specify proxy user settings
Date Tue, 22 Apr 2014 08:43:17 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Benoy Antony updated HADOOP-10448:

    Attachment: HADOOP-10448.patch

Thanks for the comments [~daryn]. I have made changes to the patch based on comments.

bq. Less synchronization is always good, removing all synchronization will cause race conditions
accessing the non-thread safe data structures during a refresh.

Though synchronization is removed, it is still safe for different threads to share the instance
of ImpersonationProvider. The instance of ImpersonationProvider is effectively immutable and
it is safely published by storing its reference in a _volatile_ field. 

bq. Does it make sense for get*ConfKey methods to be part of the api? That seems like an implementation
detail of a conf based provider that is inapplicable to other abstract providers.

I agree and  have created an interface - _ImpersonationProvider_ . This will be implemented
by _DefaultImpersonationProvider_ and the above methods are part of _DefaultImpersonationProvider_.

bq. I'm just curious what alternate implementation you intend to use?

My requirement is to manage the proxyusers via group membership in addition to the config
based proxyusers. Users belonging to group  s_<username>  can impersonate <username>

So the sample  implementation is as follows:

* Custom class which allows impersonation if the superuser belongs to sudo group
* The sudo groupname is determined based on the name of the user to be impersonated.

public class SudoGroupBasedImpersonationProvider extends DefaultImpersonationProvider{
  public void authorize(UserGroupInformation user, 
      String remoteAddress) throws AuthorizationException {
    UserGroupInformation superUser = user.getRealUser();
    if (superUser == null) {
    //form the group name as in s_PROXIEDUSER
    String groupName = "s_" + user.getShortUserName();
    //check if the any of the superuser's group matches the sudo group
    for (String group : superUser.getGroupNames()) {
      if (group.equals(groupName)){
        //match found , authorize impersonation
    //revert to default proxy logic
    super.authorize(user, remoteAddress);


> Support pluggable mechanism to specify proxy user settings
> ----------------------------------------------------------
>                 Key: HADOOP-10448
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10448
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10448.patch, HADOOP-10448.patch, HADOOP-10448.patch, HADOOP-10448.patch,
HADOOP-10448.patch, HADOOP-10448.patch
> We have a requirement to support large number of superusers. (users who impersonate as
another user) (http://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html) 
> Currently each  superuser needs to be defined in the core-site.xml via proxyuser settings.
This will be cumbersome when there are 1000 entries.
> It seems useful to have a pluggable mechanism to specify  proxy user settings with the
current approach as the default. 

This message was sent by Atlassian JIRA

View raw message