Hadoop Common
  1. Hadoop Common
  2. HADOOP-6995

Allow wildcards to be used in ProxyUsers configurations

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.22.0
    • Fix Version/s: 1.1.0, 0.22.1
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      When configuring proxy users and hosts, the special wildcard value "*" may be specified to match any host or any user.

      Description

      There are some cases where the full tightness of the ProxyUsers configuration is not required or available – for example, not all users of oozie may share a common "oozie-users" group, and the operators would prefer to allow oozie on a given host to act proxy for any user. We should allow the operator to specify a wildcard for hosts or groups in the proxyuser configurations.

      1. hadoop-6995-branch20.txt
        8 kB
        Todd Lipcon
      2. hadoop-6995.txt
        8 kB
        Todd Lipcon
      3. hadoop-6995.txt
        8 kB
        Todd Lipcon
      4. hadoop-6995-branch1.txt
        8 kB
        Jeremy Hanna
      5. HADOOP-6995-22.patch
        8 kB
        Mayank Bansal

        Activity

        Todd Lipcon created issue -
        Hide
        Todd Lipcon added a comment -

        For 0.20S, not for commit.

        Show
        Todd Lipcon added a comment - For 0.20S, not for commit.
        Todd Lipcon made changes -
        Field Original Value New Value
        Attachment hadoop-6995-branch20.txt [ 12456672 ]
        Hide
        Todd Lipcon added a comment -

        Patch for trunk

        Show
        Todd Lipcon added a comment - Patch for trunk
        Todd Lipcon made changes -
        Attachment hadoop-6995.txt [ 12456673 ]
        Todd Lipcon made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Hide
        Aaron T. Myers added a comment -

        This patch looks great, Todd. Thanks.

        Would mind also adding to documentation/content/xdocs/Secure_Impersonation.xml to document the availability of this wildcard option?

        Show
        Aaron T. Myers added a comment - This patch looks great, Todd. Thanks. Would mind also adding to documentation/content/xdocs/Secure_Impersonation.xml to document the availability of this wildcard option?
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12456673/hadoop-6995.txt
        against trunk revision 1031422.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 2 new or modified tests.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        +1 system test framework. The patch passed system test framework compile.

        Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/13//testReport/
        Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/13//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/13//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12456673/hadoop-6995.txt against trunk revision 1031422. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/13//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/13//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/13//console This message is automatically generated.
        Hide
        Todd Lipcon added a comment -

        New revision includes doc update

        Show
        Todd Lipcon added a comment - New revision includes doc update
        Todd Lipcon made changes -
        Attachment hadoop-6995.txt [ 12467137 ]
        Todd Lipcon made changes -
        Status Patch Available [ 10002 ] Open [ 1 ]
        Todd Lipcon made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12467137/hadoop-6995.txt
        against trunk revision 1052933.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 2 new or modified tests.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        +1 system test framework. The patch passed system test framework compile.

        Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/151//testReport/
        Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/151//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/151//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12467137/hadoop-6995.txt against trunk revision 1052933. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/151//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/151//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/151//console This message is automatically generated.
        Hide
        Eli Collins added a comment -

        +1 lgtm

        Show
        Eli Collins added a comment - +1 lgtm
        Todd Lipcon made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Hadoop Flags [Reviewed]
        Release Note When configuring proxy users and hosts, the special wildcard value "*" may be specified to match any host or any user.
        Fix Version/s 0.23.0 [ 12315569 ]
        Resolution Fixed [ 1 ]
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk #569 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/569/)

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk #569 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/569/ )
        Arun C Murthy made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Hide
        Jeremy Hanna added a comment -

        Could this ticket be integrated as part of a 0.20.20x release? It's a very simple patch that helps out with oozie configuration considerably - especially since 0.23 is not production ready yet.

        Show
        Jeremy Hanna added a comment - Could this ticket be integrated as part of a 0.20.20x release? It's a very simple patch that helps out with oozie configuration considerably - especially since 0.23 is not production ready yet.
        Hide
        Jeremy Hanna added a comment -

        Attaching new patch for branch1. The branch20 patch cleanly applied to branch1, then I included the doc note to Secure_Impersonation.xml which was added to a similar spot to what Todd did to Superusers.xml in 0.23.

        Show
        Jeremy Hanna added a comment - Attaching new patch for branch1. The branch20 patch cleanly applied to branch1, then I included the doc note to Secure_Impersonation.xml which was added to a similar spot to what Todd did to Superusers.xml in 0.23.
        Jeremy Hanna made changes -
        Attachment hadoop-6995-branch1.txt [ 12525081 ]
        Hide
        Alejandro Abdelnur added a comment -

        +1 to branch-1 patch. I've applied the patch and run the TestProxyUsers test

        Show
        Alejandro Abdelnur added a comment - +1 to branch-1 patch. I've applied the patch and run the TestProxyUsers test
        Hide
        Alejandro Abdelnur added a comment -

        The lack of wildcard support is biting Oozie users using Hadoop 1.x quite often. I'd like to commit this to branch-1 ASAP and making it part of the next 1.x release.

        Show
        Alejandro Abdelnur added a comment - The lack of wildcard support is biting Oozie users using Hadoop 1.x quite often. I'd like to commit this to branch-1 ASAP and making it part of the next 1.x release.
        Hide
        Todd Lipcon added a comment -

        +1 for inclusion in branch-1

        Show
        Todd Lipcon added a comment - +1 for inclusion in branch-1
        Hide
        Matt Foley added a comment -

        +1 to include in branch-1.

        Show
        Matt Foley added a comment - +1 to include in branch-1.
        Alejandro Abdelnur made changes -
        Fix Version/s 1.1.0 [ 12316501 ]
        Hide
        Mayank Bansal added a comment -

        Adding patch for 22

        Show
        Mayank Bansal added a comment - Adding patch for 22
        Mayank Bansal made changes -
        Attachment HADOOP-6995-22.patch [ 12531160 ]
        Hide
        Konstantin Shvachko added a comment -

        +1 to include in branch-0.22. Thanks Mayank.

        Show
        Konstantin Shvachko added a comment - +1 to include in branch-0.22. Thanks Mayank.
        Konstantin Shvachko made changes -
        Fix Version/s 0.22.1 [ 12319240 ]
        Fix Version/s 0.23.0 [ 12315569 ]
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-22-branch #107 (See https://builds.apache.org/job/Hadoop-Common-22-branch/107/)
        HADOOP-6995. Allow wildcards to be used in ProxyUsers configurations. Contributed by Todd Lipcon and Mayank Bansal. (Revision 1347845)

        Result = FAILURE
        shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1347845
        Files :

        • /hadoop/common/branches/branch-0.22/common/CHANGES.txt
        • /hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/Superusers.xml
        • /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java
        • /hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java
        Show
        Hudson added a comment - Integrated in Hadoop-Common-22-branch #107 (See https://builds.apache.org/job/Hadoop-Common-22-branch/107/ ) HADOOP-6995 . Allow wildcards to be used in ProxyUsers configurations. Contributed by Todd Lipcon and Mayank Bansal. (Revision 1347845) Result = FAILURE shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1347845 Files : /hadoop/common/branches/branch-0.22/common/CHANGES.txt /hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/Superusers.xml /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/authorize/ProxyUsers.java /hadoop/common/branches/branch-0.22/common/src/test/core/org/apache/hadoop/security/authorize/TestProxyUsers.java
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Patch Available Patch Available Open Open
        82d 14h 15m 1 Todd Lipcon 29/Dec/10 20:31
        Open Open Patch Available Patch Available
        4m 41s 2 Todd Lipcon 29/Dec/10 20:32
        Patch Available Patch Available Resolved Resolved
        7d 22h 14m 1 Todd Lipcon 06/Jan/11 18:46
        Resolved Resolved Closed Closed
        312d 6h 3m 1 Arun C Murthy 15/Nov/11 00:50

          People

          • Assignee:
            Todd Lipcon
            Reporter:
            Todd Lipcon
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development