hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoy Antony (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10650) Add ability to specify a negative ACL (black list) of users and groups
Date Mon, 09 Jun 2014 18:53:02 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Benoy Antony updated HADOOP-10650:
----------------------------------

    Attachment: HADOOP-10650.patch

Submitting a patch which includes HADOOP-10649 also.

For each acl, it is possible to define a reverse acl by including ".reverse" as the suffix.

For eg. For security.client.protocol.acl, the reverse ACL is read using key security.client.protocol.acl.reverse

The protocol access is authorized if user is included in acl AND not included in reverse acl

The key to specify default reverse acl is also defined. That will be "security.service.authorization.default.acl.reverse"

> Add ability to specify a negative ACL (black list) of users and groups
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-10650
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10650
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10650.patch
>
>
> Currently , it is possible to define a ACL (user and groups) for a service. To temporarily
remove authorization for a set of users, administrator needs to remove the users from the
specific group and this may be a lengthy process ( update ldap groups, flush caches on machines).
>  If there is a facility to define a negative ACL for services, then administrator can
disable users by specifying the users in negative ACL. In other words, one can specify a whitelist
of users and groups as well as a blacklist of users and groups. 
> One can also specify a default blacklist to disable the users from accessing any service.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message