hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (YARN-7923) Refine proxy user authorization to support multiple ACL list
Date Mon, 12 Feb 2018 22:39:00 GMT

     [ https://issues.apache.org/jira/browse/YARN-7923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eric Yang resolved YARN-7923.
-----------------------------
    Resolution: Duplicate

Sorry, failed with wrong project.

> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>
>                 Key: YARN-7923
>                 URL: https://issues.apache.org/jira/browse/YARN-7923
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>
> This Jira is responding to follow up work for HADOOP-14077.  The original goal of HADOOP-14077
is to have ability to support multiple ACL lists.  When checking for proxy user authorization
in AuthenticationFilter to ensure there is a way to authorize normal users and admin users
using separate proxy users ACL lists.  This was suggested in [HADOOP-14060|https://issues.apache.org/jira/browse/HADOOP-14060?focusedCommentId=15875737&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-15875737]
to configure AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both credentials
claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly rejected with
403 FORBIDDEN message if there is no other web filter configured to handle the required authorization
work.
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine StaticUserWebFilter
+ second AuthenticationFilterWithProxyUser into a AuthorizationFilterWithProxyUser as a final
filter to evict unauthorized user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate
the false positive in user authorization.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org


Mime
View raw message