Return-Path: 
 <common-issues-return-100665-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id EF9111721D
	for <apmail-hadoop-common-issues-archive@minotaur.apache.org>;
 Wed,  9 Dec 2015 13:44:14 +0000 (UTC)
Received: (qmail 98782 invoked by uid 500); 9 Dec 2015 13:44:14 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 98250 invoked by uid 500); 9 Dec 2015 13:44:13 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 98212 invoked by uid 99); 9 Dec 2015 13:44:11 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Dec 2015 13:44:11 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 0263C2C1F5A
	for <common-issues@hadoop.apache.org>; Wed,  9 Dec 2015 13:44:11 +0000 (UTC)
Date: Wed, 9 Dec 2015 13:44:11 +0000 (UTC)
From: "mai shurong (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12920366.1449650968000.312765.1449668651007@Atlassian.JIRA>
In-Reply-To: <JIRA.12920366.1449650968000@Atlassian.JIRA>
References: <JIRA.12920366.1449650968000@Atlassian.JIRA>
 <JIRA.12920366.1449650968951@arcas>
Subject: [jira] [Work stopped] (HADOOP-12628) service level authorization
 check the combination of host and user
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/HADOOP-12628?page=3Dcom.atlass=
ian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Work on HADOOP-12628 stopped by mai shurong.
--------------------------------------------
> service level authorization check the combination of host and user
> ------------------------------------------------------------------
>
>                 Key: HADOOP-12628
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12628
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs
>    Affects Versions: 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.4.1, 2.5.1, 2.5.2, 2.6=
.0, 2.6.1, 2.6.2
>            Reporter: mai shurong
>            Assignee: mai shurong
>              Labels: improvement, patch
>
> Service level authorization in hadoop2.2.x can only check the user from c=
lient. Service level authorization in hadoop2.7.x add the function of check=
ing the host(ip) from client, but only can check host and user independentl=
y and cannot check the combination of host and user.
> I add the function of checking the combination of host and user by the pa=
tch. After put the patch,we can set the authorization of host-user pair in =
the hadoop-policy.xml.Take security.client.protocol.acl for example:
> If we only let the hadoop_user1 from 192.168.0.1(ip) has the authorizatio=
n, we can set "hadoop_user1:192.168.0.1". So hadoop_user1 from other host b=
ut 192.168.0.1 doesn't have the authorization. If we add the authorization =
of hadoop_user2 from myhost.com.cn(hostname), we can set "hadoop_user2:myho=
st.com.cn"; if we authorize hadoop_user3 from any host,we just set "hadoop_=
user3" like before; if we want toauthorize any user from the host 192.168.1=
0.10, we can set "*:192.168.10.10".
> example=EF=BC=9A
> <property>
>     <name>security.client.protocol.acl</name>
>     <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_use=
r3,*:192.168.10.10</value>
>  </property>
> It is also applied to the blocked access control list after hadoop2.6.0=
=EF=BC=9A
> example=EF=BC=9A
> <property>
>     <name>security.client.protocol.acl.blocked</name>
>     <value>hadoop_user1:192.168.0.1,hadoop_user2:myhost.com.cn,hadoop_use=
r3,*:192.168.10.10</value>
>  </property>
> The format of access control list is completely Compatible.  =20
> The list of users and groups are both comma separated list of names. The =
two lists are separated by a space.
> Add a blank at the beginning of the line if only a list of groups is to b=
e provided, equivalently a comma-separated list of users followed by a spac=
e or nothing implies only a set of given users.A special value of * implies=
 that all users from any host are allowed to access the service.
> Example:=20
> user1,user2 group1,group2 =EF=BC=88user1,user2,group1,group2 from any hos=
t have the authorization=EF=BC=89
> user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,group2:myhost2=
.com.cn =EF=BC=88user1 from 192.168.0.1, user2 from myhost1.com.cn, group1 =
from 192.168.0.2,group2 from myhost2.com.cn have the authorization=EF=BC=89=
=20
>   \*:192.168.0.1,*:myhost1.com.cn (any user from 192.168.0.1, any user fr=
om myhost1.com.cn have the authorization=EF=BC=89
>   \* (any user from any host have the authorization)=20
> example1:
> <property>
>     <name>security.client.protocol.acl</name>
>     <value>*</value>
>  </property>
> example2:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>user1,user2 group1,group2</value>
>  </property>
> =20
> example3:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>\*:192.168.0.1,*:myhost1.com.cn</value>
>  </property>
> =20
> example3:
>  <property>
>     <name>security.client.protocol.acl</name>
>     <value>user1:192.168.0.1,user2:myhost1.com.cn  group1:192.168.0.2,gro=
up2:myhost2.com.cn</value>
>  </property>
> =20
> =20
> =20



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)