hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "mai shurong (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12628) service level authorization check the combination of host and user
Date Sat, 12 Dec 2015 14:51:46 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

mai shurong updated HADOOP-12628:
---------------------------------
    Description: 
Service level authorization in hadoop2.2.x, hadoop2.5.x, hadoop2.6.x can only check the user
from client. Service level authorization in hadoop2.7.x add the function of checking the host(ip)
from client, but only can check host and user independently and cannot check the combination
of host and user.

I add the function of checking the combination of host and user by the patch. After put the
patch,we can set the authorization of host-user pair in the hadoop-policy.xml.Take security.client.protocol.acl
for example:

If we only let the hadoop_user1 from 192.168.0.1(ip) has the authorization, we can set "hadoop_user1:192.168.0.1".
So hadoop_user1 from other host but 192.168.0.1 doesn't have the authorization. If we add
the authorization of hadoop_user2 from myhost.com.cn(hostname), we can set "hadoop_user2:myhost.com.cn";
if we authorize hadoop_user3 from any host,we just set "hadoop_user3" like before; if we want
toauthorize any user from the host 192.168.10.10, we can set "*:192.168.10.10".

example:
<property>
    <name>security.client.protocol.acl</name>
    <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
 </property>

It is also applied to the blocked access control list after hadoop2.6.0:
example:
<property>
    <name>security.client.protocol.acl.blocked</name>
    <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
 </property>


The format of access control list is completely Compatible.   

The list of users and groups are both comma separated list of names. The two lists are separated
by a space.
Add a blank at the beginning of the line if only a list of groups is to be provided, equivalently
a comma-separated list of users followed by a space or nothing implies only a set of given
users.A special value of * implies that all users from any host are allowed to access the
service.

Example: 
user1,user2 group1,group2 (user1,user2,group1,group2 from any host have the authorization)

user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,group2:myhost2.com.cn (user1
from 192.168.0.1, user2 from myhost1.com.cn, group1 from 192.168.0.2,group2 from myhost2.com.cn
have the authorization) 

  \*:192.168.0.1,*:myhost1.com.cn (any user from 192.168.0.1, any user from myhost1.com.cn
have the authorization)

  \* (any user from any host have the authorization) 

example1:
<property>
    <name>security.client.protocol.acl</name>
    <value>*</value>
 </property>

example2:
 <property>
    <name>security.client.protocol.acl</name>
    <value>user1,user2 group1,group2</value>
 </property>
 
example3:
 <property>
    <name>security.client.protocol.acl</name>
    <value>\*:192.168.0.1,*:myhost1.com.cn</value>
 </property>
 
example3:
 <property>
    <name>security.client.protocol.acl</name>
    <value>user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,group2:myhost2.com.cn</value>
 </property>
 
 

 

  was:
Service level authorization in hadoop2.2.x can only check the user from client. Service level
authorization in hadoop2.7.x add the function of checking the host(ip) from client, but only
can check host and user independently and cannot check the combination of host and user.

I add the function of checking the combination of host and user by the patch. After put the
patch,we can set the authorization of host-user pair in the hadoop-policy.xml.Take security.client.protocol.acl
for example:

If we only let the hadoop_user1 from 192.168.0.1(ip) has the authorization, we can set "hadoop_user1:192.168.0.1".
So hadoop_user1 from other host but 192.168.0.1 doesn't have the authorization. If we add
the authorization of hadoop_user2 from myhost.com.cn(hostname), we can set "hadoop_user2:myhost.com.cn";
if we authorize hadoop_user3 from any host,we just set "hadoop_user3" like before; if we want
toauthorize any user from the host 192.168.10.10, we can set "*:192.168.10.10".

example:
<property>
    <name>security.client.protocol.acl</name>
    <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
 </property>

It is also applied to the blocked access control list after hadoop2.6.0:
example:
<property>
    <name>security.client.protocol.acl.blocked</name>
    <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
 </property>


The format of access control list is completely Compatible.   

The list of users and groups are both comma separated list of names. The two lists are separated
by a space.
Add a blank at the beginning of the line if only a list of groups is to be provided, equivalently
a comma-separated list of users followed by a space or nothing implies only a set of given
users.A special value of * implies that all users from any host are allowed to access the
service.

Example: 
user1,user2 group1,group2 (user1,user2,group1,group2 from any host have the authorization)

user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,group2:myhost2.com.cn (user1
from 192.168.0.1, user2 from myhost1.com.cn, group1 from 192.168.0.2,group2 from myhost2.com.cn
have the authorization) 

  \*:192.168.0.1,*:myhost1.com.cn (any user from 192.168.0.1, any user from myhost1.com.cn
have the authorization)

  \* (any user from any host have the authorization) 

example1:
<property>
    <name>security.client.protocol.acl</name>
    <value>*</value>
 </property>

example2:
 <property>
    <name>security.client.protocol.acl</name>
    <value>user1,user2 group1,group2</value>
 </property>
 
example3:
 <property>
    <name>security.client.protocol.acl</name>
    <value>\*:192.168.0.1,*:myhost1.com.cn</value>
 </property>
 
example3:
 <property>
    <name>security.client.protocol.acl</name>
    <value>user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,group2:myhost2.com.cn</value>
 </property>
 
 

 


> service level authorization check the combination of host and user 
> -------------------------------------------------------------------
>
>                 Key: HADOOP-12628
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12628
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs
>    Affects Versions: 2.2.0
>         Environment: hadoop2.2.0
>            Reporter: mai shurong
>            Assignee: mai shurong
>              Labels: patch
>         Attachments: patch-for-hadoop-2.2.x.patch, patch-for-hadoop-2.5.x.patch, patch-for-hadoop-2.6.x.patch
>
>
> Service level authorization in hadoop2.2.x, hadoop2.5.x, hadoop2.6.x can only check the
user from client. Service level authorization in hadoop2.7.x add the function of checking
the host(ip) from client, but only can check host and user independently and cannot check
the combination of host and user.
> I add the function of checking the combination of host and user by the patch. After put
the patch,we can set the authorization of host-user pair in the hadoop-policy.xml.Take security.client.protocol.acl
for example:
> If we only let the hadoop_user1 from 192.168.0.1(ip) has the authorization, we can set
"hadoop_user1:192.168.0.1". So hadoop_user1 from other host but 192.168.0.1 doesn't have the
authorization. If we add the authorization of hadoop_user2 from myhost.com.cn(hostname), we
can set "hadoop_user2:myhost.com.cn"; if we authorize hadoop_user3 from any host,we just set
"hadoop_user3" like before; if we want toauthorize any user from the host 192.168.10.10, we
can set "*:192.168.10.10".
> example:
> <property>
>     <name>security.client.protocol.acl</name>
>     <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
>  </property>
> It is also applied to the blocked access control list after hadoop2.6.0:
> example:
> <property>
>     <name>security.client.protocol.acl.blocked</name>
>     <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_user3,*:192.168.10.10</value>
>  </property>
> The format of access control list is completely Compatible.   
> The list of users and groups are both comma separated list of names. The two lists are
separated by a space.
> Add a blank at the beginning of the line if only a list of groups is to be provided,
equivalently a comma-separated list of users followed by a space or nothing implies only a
set of given users.A special value of * implies that all users from any host are allowed to
access the service.
> Example: 
> user1,user2 group1,group2 (user1,user2,group1,group2 from any host have the authorization)
> user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,group2:myhost2.com.cn (user1
from 192.168.0.1, user2 from myhost1.com.cn, group1 from 192.168.0.2,group2 from myhost2.com.cn
have the authorization) 
>   \*:192.168.0.1,*:myhost1.com.cn (any user from 192.168.0.1, any user from myhost1.com.cn
have the authorization)
>   \* (any user from any host have the authorization) 
> example1:
> <property>
>     <name>security.client.protocol.acl</name>
>     <value>*</value>
>  </property>
> example2:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>user1,user2 group1,group2</value>
>  </property>
>  
> example3:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>\*:192.168.0.1,*:myhost1.com.cn</value>
>  </property>
>  
> example3:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,group2:myhost2.com.cn</value>
>  </property>
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message