You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Luke Lu (JIRA)" <ji...@apache.org> on 2012/07/05 12:10:34 UTC
[jira] [Created] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Luke Lu created HADOOP-8561:
-------------------------------
Summary: Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
Key: HADOOP-8561
URL: https://issues.apache.org/jira/browse/HADOOP-8561
Project: Hadoop Common
Issue Type: Improvement
Components: security
Reporter: Luke Lu
Assignee: Yu Gao
To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Yu Gao (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yu Gao updated HADOOP-8561:
---------------------------
Attachment: hadoop-8561-branch-2.patch
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
> Attachments: hadoop-8561-branch-1.patch, hadoop-8561-branch-2.patch
>
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13408342#comment-13408342 ]
Owen O'Malley commented on HADOOP-8561:
---------------------------------------
I'm not against making an environment variable/property to set the user, but we might as well use the one we already have and enable HADOOP_USER_NAME in secure mode to mean act as a proxy for the given user.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Luke Lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13408383#comment-13408383 ]
Luke Lu commented on HADOOP-8561:
---------------------------------
We'd also like to use proxy user in "semi" secure mode as well.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407320#comment-13407320 ]
Todd Lipcon commented on HADOOP-8561:
-------------------------------------
We achieved this in Hue with a simple wrapper around FsShell:
http://grepcode.com/file/repository.cloudera.com/content/repositories/releases/com.cloudera.hue/sudo-shell/1.2.0-cdh3u0/com/cloudera/hue/SudoFsShell.java?av=f
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Luke Lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489674#comment-13489674 ]
Luke Lu commented on HADOOP-8561:
---------------------------------
This approach has added benefit of working with clients (like HBase shell) not written in Java.
bq. Using an env makes me a bit squeamish since it may introduce an unexpected attack vector.
It won't do anything for ordinary users. An admin web app of course needs to do a few things sanitize the input to disallow fork/exec etc.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
> Attachments: hadoop-8561-branch-1.patch, hadoop-8561-branch-2.patch, hadoop-8561.patch
>
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13410543#comment-13410543 ]
Daryn Sharp commented on HADOOP-8561:
-------------------------------------
I kind of like Todd's approach. Maybe we should consider adding a sudo command to {{FsShell}} so it's not a separate utility. Using an env makes me a bit squeamish since it may introduce an unexpected attack vector.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Luke Lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Luke Lu updated HADOOP-8561:
----------------------------
Hadoop Flags: Reviewed
Status: Patch Available (was: Open)
The patches lgtm. +1 pending jenkins.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
> Attachments: hadoop-8561-branch-1.patch, hadoop-8561-branch-2.patch, hadoop-8561.patch
>
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Robert Joseph Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407112#comment-13407112 ]
Robert Joseph Evans commented on HADOOP-8561:
---------------------------------------------
This would be really good for testing as well. We have seen issues with HFTP tokens being broken only for proxy users, but were not testing it properly. This should make that testing a lot simpler in the future. +1 for the idea.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Luke Lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13408393#comment-13408393 ]
Luke Lu commented on HADOOP-8561:
---------------------------------
@Owen, I'm fine with repurposing HADOOP_USER_NAME and for proxy user (better auditing and access control even without kerbero), though it's an incompatible change. One of the reasons we added HADOOP_PROXY_USER is to preserve the original semantics for HADOOP_USER_NAME.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Yu Gao (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yu Gao updated HADOOP-8561:
---------------------------
Attachment: hadoop-8561-branch-1.patch
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
> Attachments: hadoop-8561-branch-1.patch, hadoop-8561-branch-2.patch
>
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489893#comment-13489893 ]
Hadoop QA commented on HADOOP-8561:
-----------------------------------
{color:green}+1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12551912/hadoop-8561.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:green}+1 tests included{color}. The patch appears to include 1 new or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in hadoop-common-project/hadoop-common.
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/1701//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/1701//console
This message is automatically generated.
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
> Attachments: hadoop-8561-branch-1.patch, hadoop-8561-branch-2.patch, hadoop-8561.patch
>
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8561) Introduce HADOOP_PROXY_USER for
secure impersonation in child hadoop client processes
Posted by "Yu Gao (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yu Gao updated HADOOP-8561:
---------------------------
Attachment: hadoop-8561.patch
> Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-8561
> URL: https://issues.apache.org/jira/browse/HADOOP-8561
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Luke Lu
> Assignee: Yu Gao
> Attachments: hadoop-8561-branch-1.patch, hadoop-8561-branch-2.patch, hadoop-8561.patch
>
>
> To solve the problem for an authenticated user to type hadoop shell commands in a web console, we can introduce an HADOOP_PROXY_USER environment variable to allow proper impersonation in the child hadoop client processes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira