In a secure cluster, it is possible to configure the services to allow a super-user to proxy to a regular user and perform actions on behalf of the proxied user (see Proxy user - Superusers Acting On Behalf Of Other Users).
This is useful for automating server access for multiple different users in a multi-tenant cluster. For example, this can be used by a super user submitting jobs to a YARN queue, accessing HDFS files, scheduling Oozie workflows, etc, which will then execute the service as the proxied user.
Usually when these services check ACLs to determine if the user has access to the requested resources, the service only needs to check the ACLs for the proxied user. However, it is sometimes desirable to allow the proxied user to have access to the resources when only the real user has open ACLs.
For instance, let's say the user adm is the only user with submit ACLs to the dataload queue, and the adm user wants to submit apps to the dataload queue on behalf of users headless1 and headless2. In addition, we want to be able to bill headless1 and headless2 separately for the YARN resources used in the dataload queue. In order to do this, the apps need to run in the dataload queue as the respective headless users. We could open up the ACLs to the dataload queue to allow headless1 and headless2 to submit apps. But this would allow those users to submit any app to that queue, and not be limited to just the data loading apps, and we don't trust the headless1 and headless2 owners to honor that restriction.
This JIRA proposes that we define a way to set up ACLs to restrict a resource's access to a super-user, but when the access happens, run it as the proxied user.