hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jimmy Xiang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
Date Fri, 01 Nov 2013 17:21:21 GMT

    [ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13811471#comment-13811471

Jimmy Xiang commented on HBASE-9866:

bq. +      Lock lock = locker.acquireLock(effectiveUser.get().getUserName());
Are we sure effectiveUser is always set even when  SPENGO/security is not enabled?

bq. final String doAsUserFromQuery = request.getParameter("doas");
Should we use parameter "doAs"?

Can we make sure there is no javadoc/findbugs warnings?

Another thing is that we have two proxy users.  One is the user authenticated with SPENGO.
The other is the real user.  We switch the proxy user in the middle. Is this a security concern?

I was wondering if Knox should talks to HBase directly as a proxy, instead of going through
REST server as another level proxying?

[~toffer], any comments?

> Support the mode where REST server authorizes proxy users
> ---------------------------------------------------------
>                 Key: HBASE-9866
>                 URL: https://issues.apache.org/jira/browse/HBASE-9866
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Devaraj Das
>            Assignee: Devaraj Das
>             Fix For: 0.96.1
>         Attachments: 9866-1.txt
> In one use case, someone was trying to authorize with the REST server as a proxy user.
That mode is not supported today. 
> The curl request would be something like (assuming SPNEGO auth) - 
> {noformat}
> curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER>
> {noformat}

This message was sent by Atlassian JIRA

View raw message