hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-7923) Refine proxy user authorization to support multiple ACL list
Date Mon, 12 Feb 2018 22:08:00 GMT
Eric Yang created YARN-7923:
-------------------------------

             Summary: Refine proxy user authorization to support multiple ACL list
                 Key: YARN-7923
                 URL: https://issues.apache.org/jira/browse/YARN-7923
             Project: Hadoop YARN
          Issue Type: Bug
          Components: security
    Affects Versions: 3.0.0
            Reporter: Eric Yang
            Assignee: Eric Yang


This Jira is responding to follow up work for HADOOP-14077.  The original goal of HADOOP-14077
is to have ability to support multiple ACL lists.  When checking for proxy user authorization
in AuthenticationFilter to ensure there is a way to authorize normal users and admin users
using separate proxy users ACL lists.  This was suggested in [HADOOP-14060|https://issues.apache.org/jira/browse/HADOOP-14060?focusedCommentId=15875737&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-15875737]
to configure AuthenticationFilterWithProxyUser this way:

AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser

This enables the second AuthenticationFilterWithProxyUser validates both credentials claim
by proxy user, and end user.

However, there is a side effect that unauthorized users are not properly rejected with 403
FORBIDDEN message if there is no other web filter configured to handle the required authorization
work.

This JIRA is intend to discuss the work of HADOOP-14077 by either combine StaticUserWebFilter
+ second AuthenticationFilterWithProxyUser into a AuthorizationFilterWithProxyUser as a final
filter to evict unauthorized user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate
the false positive in user authorization.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org


Mime
View raw message