Description
External services or YARN service may need to call into WebHDFS or YARN REST API on behave of the user using web protocols. It would be good to support impersonation mechanism in AuthenticationFilter or similar extensions. The general design is similar to UserGroupInformation.doAs in RPC layer.
The calling service credential is verified as a proxy user coming from a trusted host verifying Hadoop proxy user ACL on the server side. If proxy user ACL allows proxy user to become doAs user. HttpRequest object will report REMOTE_USER as doAs user. This feature enables web application logic to be written with minimal changes to call Hadoop API with UserGroupInformation.doAs() wrapper.
HTTP Request
A few possible options:
1. Using query parameter to pass doAs user:
POST /service?doAs=foobar Authorization: [proxy user Kerberos token]
2. Use HTTP Header to pass doAs user:
POST /service Authorization: [proxy user Kerberos token] x-hadoop-doas: foobar
HTTP Response
403 - Forbidden (Including impersonation is not allowed)
Proxy User ACL requirement
Proxy user kerberos token maps to a service principal, such as yarn/host1.example.com. The host part of the credential and HTTP request origin are both validated with hadoop.proxyuser.yarn.hosts ACL. doAs user group membership or identity is checked with either hadoop.proxyuser.yarn.groups or hadoop.proxyuser.yarn.users. This governs the caller is coming from authorized host and belong to authorized group.
Attachments
Attachments
Issue Links
- relates to
-
YARN-9633 Support doas parameter at rest api of yarn-service
-
- Resolved
-