You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Benoy Antony (JIRA)" <ji...@apache.org> on 2014/06/11 00:17:01 UTC
[jira] [Commented] (HADOOP-10679) Authorize webui access using
ServiceAuthorizationManager
[ https://issues.apache.org/jira/browse/HADOOP-10679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14027125#comment-14027125 ]
Benoy Antony commented on HADOOP-10679:
---------------------------------------
Here is the proposal:
1. Define an AuthorizationFilter.
2. The AuthorizationFilter looks up ACL in hadoop-policy.xml using the key derived from HttpServletRequest.getServletPath() .
3. If ACL is not found, the ACL defaults to *.
This will inherit the following features (in progress)
Note 1 : Administrator can override default ACL - HADOOP-10649
Note 2 : Administrator can specify a reverse ACL - HADOOP-10650
Note 3 : Administrator block/grant access via IPS - HADOOP-10651
Note 4 : One can plugin a different AuthZ module - HADOOP-10654
> Authorize webui access using ServiceAuthorizationManager
> --------------------------------------------------------
>
> Key: HADOOP-10679
> URL: https://issues.apache.org/jira/browse/HADOOP-10679
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Benoy Antony
> Assignee: Benoy Antony
>
> Currently accessing Hadoop via RPC can be authorized using _ServiceAuthorizationManager_. But there is no uniform authorization of the HTTP access. Some of the servlets check for admin privilege.
> This creates an inconsistency of authorization between access via RPC vs HTTP.
> The fix is to enable authorization of the webui access using _ServiceAuthorizationManager_.
--
This message was sent by Atlassian JIRA
(v6.2#6252)