ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Velmurugan Periasamy <...@apache.org>
Subject Re: Authorization for policy downloads
Date Fri, 12 May 2017 17:03:20 GMT
Hi Colm:

In kerberized environments, /service/plugins/secure/policies/download should
be used for download and will be restricted to valid plugins as you pointed
out. /service/plugins/policies will need to be protected by two way SSL and
exists for backward compatibility.

Thanks,
Vel

From:  Colm O hEigeartaigh <coheigea@apache.org>
Reply-To:  "dev@ranger.apache.org" <dev@ranger.apache.org>,
"coheigea@apache.org" <coheigea@apache.org>
Date:  Tuesday, May 2, 2017 at 8:50 AM
To:  "dev@ranger.apache.org" <dev@ranger.apache.org>
Subject:  Authorization for policy downloads

Hi all,

A quick question for something that is puzzling me. I can download policies
from then Admin service with no credentials like e.g.:

curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop

However, when my kerberized HDFS plugin tries to pull policies down (as the
"hdfs" user), I get an authorization error that the user is not allowed to
download the policies. I have to edit the "cl1_hadoop" configuration and
add the "hdfs" user to the "policy.download.auth.users" property.

Why is this step necessary when I can just download the policies with no
credentials with curl? Are we looking at a security issue here?

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message