hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-7923) Refine proxy user authorization to support multiple ACL list
Date Mon, 12 Feb 2018 22:45:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361554#comment-16361554

Eric Yang edited comment on YARN-7923 at 2/12/18 10:44 PM:

Sorry, filed with wrong project.

was (Author: eyang):
Sorry, failed with wrong project.

> Refine proxy user authorization to support multiple ACL list
> ------------------------------------------------------------
>                 Key: YARN-7923
>                 URL: https://issues.apache.org/jira/browse/YARN-7923
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
> This Jira is responding to follow up work for HADOOP-14077.  The original goal of HADOOP-14077
is to have ability to support multiple ACL lists.  When checking for proxy user authorization
in AuthenticationFilter to ensure there is a way to authorize normal users and admin users
using separate proxy users ACL lists.  This was suggested in [HADOOP-14060|https://issues.apache.org/jira/browse/HADOOP-14060?focusedCommentId=15875737&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-15875737]
to configure AuthenticationFilterWithProxyUser this way:
> AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser
> This enables the second AuthenticationFilterWithProxyUser validates both credentials
claim by proxy user, and end user.
> However, there is a side effect that unauthorized users are not properly rejected with
403 FORBIDDEN message if there is no other web filter configured to handle the required authorization
> This JIRA is intend to discuss the work of HADOOP-14077 by either combine StaticUserWebFilter
+ second AuthenticationFilterWithProxyUser into a AuthorizationFilterWithProxyUser as a final
filter to evict unauthorized user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate
the false positive in user authorization.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message