hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bharat Viswanadham (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12953) New API for libhdfs to get FileSystem object as a proxy user
Date Fri, 06 Apr 2018 19:49:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16428847#comment-16428847

Bharat Viswanadham commented on HADOOP-12953:

Attached the rebased patch, and also added testcases for newly added API's in FileSystem.java.


I am not much familiar with native code, not worked on adding new API's in native for same.
Left as it is, as original author. If neeed, we can work on new jira.


> New API for libhdfs to get FileSystem object as a proxy user
> ------------------------------------------------------------
>                 Key: HADOOP-12953
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12953
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs
>    Affects Versions: 2.7.2
>            Reporter: Uday Kale
>            Assignee: Uday Kale
>            Priority: Major
>         Attachments: HADOOP-12953.001.patch, HADOOP-12953.002.patch, HADOOP-12953.003.patch
> Secure impersonation in HDFS needs users to create proxy users and work with those. In
libhdfs, the hdfsBuilder accepts a userName but calls FileSytem.get() or FileSystem.newInstance()
with the user name to connect as. But, both these interfaces use getBestUGI() to get the UGI
for the given user. This is not necessarily true for all services whose end-users would not
access HDFS directly, but go via the service to first get authenticated with LDAP, then the
service owner can impersonate the end-user to eventually provide the underlying data.
> For such services that authenticate end-users via LDAP, the end users are not authenticated
by Kerberos, so their authentication details wont be in the Kerberos ticket cache. HADOOP_PROXY_USER
is not a thread-safe way to get this either. 
> Hence the need for the new API for libhdfs to get the FileSystem object as a proxy user
using the 'secure impersonation' recommendations. This approach is  secure since HDFS authenticates
the service owner and then validates the right for the service owner to impersonate the given
user as allowed by hadoop.proxyusers.* parameters of HDFS config.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message