Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-7923

Refine proxy user authorization to support multiple ACL list

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 3.0.0
    • None
    • security
    • None

    Description

      This Jira is responding to follow up work for HADOOP-14077.  The original goal of HADOOP-14077 is to have ability to support multiple ACL lists.  When checking for proxy user authorization in AuthenticationFilter to ensure there is a way to authorize normal users and admin users using separate proxy users ACL lists.  This was suggested in HADOOP-14060 to configure AuthenticationFilterWithProxyUser this way:

      AuthenticationFilterWithProxyUser->StaticUserWebFilter->AuthenticationFIlterWithProxyUser

      This enables the second AuthenticationFilterWithProxyUser validates both credentials claim by proxy user, and end user.

      However, there is a side effect that unauthorized users are not properly rejected with 403 FORBIDDEN message if there is no other web filter configured to handle the required authorization work.

      This JIRA is intend to discuss the work of HADOOP-14077 by either combine StaticUserWebFilter + second AuthenticationFilterWithProxyUser into a AuthorizationFilterWithProxyUser as a final filter to evict unauthorized user, or revert both HADOOP-14077 and HADOOP-13119 to eliminate the false positive in user authorization.

      Attachments

        Issue Links

          Activity

            People

              eyang Eric Yang
              eyang Eric Yang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: