[ https://issues.apache.org/jira/browse/HADOOP-12389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740946#comment-14740946
]
Allen Wittenauer commented on HADOOP-12389:
-------------------------------------------
bq. If ProxyUsers#authorize is called when it should not be, it is a bug and should be fixed
rather than changing authorization scheme.
There is no difference between a user authenticating as themselves and a user authenticating
as themselves and requesting to proxy to their own account, especially if we put in the clause
about there mustn't already exist a proxy config entry.
As to a bug, I'd love to go back to pre-2.5.0 NN HTTP handling before everything got massively
screwed up despite us (a year later) still dealing with the fallout, but I don't see that
happening. But again: it's sort of irrelevant. There's no real difference here from a security
perspective.
> allow self-impersonation
> ------------------------
>
> Key: HADOOP-12389
> URL: https://issues.apache.org/jira/browse/HADOOP-12389
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.0.0
> Reporter: Allen Wittenauer
>
> This is kind of dumb:
> org.apache.hadoop.security.authorize.AuthorizationException: User: aw is not allowed
to impersonate aw
> Users should be able to impersonate themselves in secure and non-secure cases automatically,
for free.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
|