hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4542) Webhdfs doesn't support secure proxy users
Date Fri, 01 Mar 2013 22:05:13 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13590991#comment-13590991

Daryn Sharp commented on HDFS-4542:

Unfortunately, no...  The "user" is context sensitive.  If there's no "doAs" then the ugi
is a plain non-proxy user.  If both "user" and "doAs" are provided, then "user" is the real/privileged
user, and "doAs" is the effective user.

I really wish "user" always meant effective user, and there was an optional "realUser" for
the privileged user, but that would be an incompatible change. :(
> Webhdfs doesn't support secure proxy users
> ------------------------------------------
>                 Key: HDFS-4542
>                 URL: https://issues.apache.org/jira/browse/HDFS-4542
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-4542.patch
> Webhdfs doesn't ever send the {{DoAsParam}} in the REST calls for proxy users.  Proxy
users on a non-secure cluster "work" because the server sees them as the effective user, not
a proxy user, which effectively bypasses the proxy authorization checks.  On secure clusters,
it doesn't work at all in part due to wrong ugi being used for the connection (HDFS-3367),
but then it fails because the effective user tries to use a non-proxy token for the real user.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message