hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16095) Support impersonation for AuthenticationFilter
Date Wed, 15 May 2019 16:22:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16840542#comment-16840542
] 

Eric Yang commented on HADOOP-16095:
------------------------------------

The patch 004 was the original patch that posted in Hadoop security mailing list on Feb 11,
2019.  This patch covers a new AuthenticationFilter that enables impersonation at web protocol. 
It also covers patch to apply AuthenticationFilter globally to HDFS and YARN applications. 
The core filter is refined in HADOOP-16287.  The application of the filter is filed as another
issue HADOOP-16314 to ensure all entry points are covered.

> Support impersonation for AuthenticationFilter
> ----------------------------------------------
>
>                 Key: HADOOP-16095
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16095
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: HADOOP-16095.004.patch
>
>
> External services or YARN service may need to call into WebHDFS or YARN REST API on behave
of the user using web protocols. It would be good to support impersonation mechanism in AuthenticationFilter
or similar extensions. The general design is similar to UserGroupInformation.doAs in RPC layer.
> The calling service credential is verified as a proxy user coming from a trusted host verifying
Hadoop proxy user ACL on the server side. If proxy user ACL allows proxy user to become doAs
user. HttpRequest object will report REMOTE_USER as doAs user. This feature enables web application
logic to be written with minimal changes to call Hadoop API with UserGroupInformation.doAs()
wrapper.
> h2. HTTP Request
> A few possible options:
> 1. Using query parameter to pass doAs user:
> {code:java}
> POST /service?doAs=foobar
> Authorization: [proxy user Kerberos token]
> {code}
> 2. Use HTTP Header to pass doAs user:
> {code:java}
> POST /service
> Authorization: [proxy user Kerberos token]
> x-hadoop-doas: foobar
> {code}
> h2. HTTP Response
> 403 - Forbidden (Including impersonation is not allowed)
> h2. Proxy User ACL requirement
> Proxy user kerberos token maps to a service principal, such as yarn/host1.example.com.
The host part of the credential and HTTP request origin are both validated with *hadoop.proxyuser.yarn.hosts*
ACL. doAs user group membership or identity is checked with either *hadoop.proxyuser.yarn.groups*
or *hadoop.proxyuser.yarn.users*. This governs the caller is coming from authorized host and
belong to authorized group.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message