ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Authorization for policy downloads
Date Mon, 15 May 2017 10:54:18 GMT
Thanks Vel. Shouldn't we make sure that "/service/plugins/policies" can't
be invoked unless two way SSL is in place?

Colm.

On Fri, May 12, 2017 at 6:03 PM, Velmurugan Periasamy <vel@apache.org>
wrote:

> Hi Colm:
>
> In kerberized environments, /service/plugins/secure/policies/download
> should
> be used for download and will be restricted to valid plugins as you pointed
> out. /service/plugins/policies will need to be protected by two way SSL and
> exists for backward compatibility.
>
> Thanks,
> Vel
>
> From:  Colm O hEigeartaigh <coheigea@apache.org>
> Reply-To:  "dev@ranger.apache.org" <dev@ranger.apache.org>,
> "coheigea@apache.org" <coheigea@apache.org>
> Date:  Tuesday, May 2, 2017 at 8:50 AM
> To:  "dev@ranger.apache.org" <dev@ranger.apache.org>
> Subject:  Authorization for policy downloads
>
> Hi all,
>
> A quick question for something that is puzzling me. I can download policies
> from then Admin service with no credentials like e.g.:
>
> curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop
>
> However, when my kerberized HDFS plugin tries to pull policies down (as the
> "hdfs" user), I get an authorization error that the user is not allowed to
> download the policies. I have to edit the "cl1_hadoop" configuration and
> add the "hdfs" user to the "policy.download.auth.users" property.
>
> Why is this step necessary when I can just download the policies with no
> credentials with curl? Are we looking at a security issue here?
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message