hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4542) Webhdfs doesn't support secure proxy users
Date Fri, 01 Mar 2013 22:05:13 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13590991#comment-13590991
] 

Daryn Sharp commented on HDFS-4542:
-----------------------------------

Unfortunately, no...  The "user" is context sensitive.  If there's no "doAs" then the ugi
is a plain non-proxy user.  If both "user" and "doAs" are provided, then "user" is the real/privileged
user, and "doAs" is the effective user.

I really wish "user" always meant effective user, and there was an optional "realUser" for
the privileged user, but that would be an incompatible change. :(
                
> Webhdfs doesn't support secure proxy users
> ------------------------------------------
>
>                 Key: HDFS-4542
>                 URL: https://issues.apache.org/jira/browse/HDFS-4542
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4542.patch
>
>
> Webhdfs doesn't ever send the {{DoAsParam}} in the REST calls for proxy users.  Proxy
users on a non-secure cluster "work" because the server sees them as the effective user, not
a proxy user, which effectively bypasses the proxy authorization checks.  On secure clusters,
it doesn't work at all in part due to wrong ugi being used for the connection (HDFS-3367),
but then it fails because the effective user tries to use a non-proxy token for the real user.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message