Return-Path: 
 <issues-return-122024-apmail-hbase-issues-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-issues-archive@www.apache.org
Delivered-To: apmail-hbase-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8DAFCCF61
	for <apmail-hbase-issues-archive@www.apache.org>;
 Fri,  1 Nov 2013 17:22:10 +0000 (UTC)
Received: (qmail 97994 invoked by uid 500); 1 Nov 2013 17:21:37 -0000
Delivered-To: apmail-hbase-issues-archive@hbase.apache.org
Received: (qmail 97850 invoked by uid 500); 1 Nov 2013 17:21:26 -0000
Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hbase.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hbase.apache.org>
List-Post: <mailto:issues@hbase.apache.org>
List-Id: <issues.hbase.apache.org>
Delivered-To: mailing list issues@hbase.apache.org
Received: (qmail 97783 invoked by uid 99); 1 Nov 2013 17:21:21 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Nov 2013 17:21:21 +0000
Date: Fri, 1 Nov 2013 17:21:21 +0000 (UTC)
From: "Jimmy Xiang (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.12676745.1383178514918.7710.1383326481205@arcas>
In-Reply-To: <JIRA.12676745.1383178514918@arcas>
References: <JIRA.12676745.1383178514918@arcas>
Subject: [jira] [Commented] (HBASE-9866) Support the mode where REST server
 authorizes proxy users
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13811471#comment-13811471 ] 

Jimmy Xiang commented on HBASE-9866:
------------------------------------

bq. +      Lock lock = locker.acquireLock(effectiveUser.get().getUserName());
Are we sure effectiveUser is always set even when  SPENGO/security is not enabled?

bq. final String doAsUserFromQuery = request.getParameter("doas");
Should we use parameter "doAs"?

Can we make sure there is no javadoc/findbugs warnings?

Another thing is that we have two proxy users.  One is the user authenticated with SPENGO. The other is the real user.  We switch the proxy user in the middle. Is this a security concern?

I was wondering if Knox should talks to HBase directly as a proxy, instead of going through REST server as another level proxying?

[~toffer], any comments?

> Support the mode where REST server authorizes proxy users
> ---------------------------------------------------------
>
>                 Key: HBASE-9866
>                 URL: https://issues.apache.org/jira/browse/HBASE-9866
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Devaraj Das
>            Assignee: Devaraj Das
>             Fix For: 0.96.1
>
>         Attachments: 9866-1.txt
>
>
> In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. 
> The curl request would be something like (assuming SPNEGO auth) - 
> {noformat}
> curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER>
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.1#6144)