hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12389) allow self-impersonation
Date Fri, 11 Sep 2015 15:00:47 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740946#comment-14740946
] 

Allen Wittenauer commented on HADOOP-12389:
-------------------------------------------

bq. If ProxyUsers#authorize is called when it should not be, it is a bug and should be fixed
rather than changing authorization scheme.

There is no difference between a user authenticating as themselves and a user authenticating
as themselves and requesting to proxy to their own account, especially if we put in the clause
about there mustn't already exist a proxy config entry.

As to a bug, I'd love to go back to pre-2.5.0 NN HTTP handling before everything got massively
screwed up despite us (a year later) still dealing with the fallout, but I don't see that
happening.  But again: it's sort of irrelevant.  There's no real difference here from a security
perspective.

> allow self-impersonation
> ------------------------
>
>                 Key: HADOOP-12389
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12389
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Allen Wittenauer
>
> This is kind of dumb:
> org.apache.hadoop.security.authorize.AuthorizationException: User: aw is not allowed
to impersonate aw
> Users should be able to impersonate themselves in secure and non-secure cases automatically,
for free.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message