You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2018/11/10 22:17:00 UTC
[jira] [Commented] (ATLAS-2824) Atlas authentication to support
proxy-user
[ https://issues.apache.org/jira/browse/ATLAS-2824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16682627#comment-16682627 ]
Larry McCay commented on ATLAS-2824:
------------------------------------
Couple comments:
{code}
+ if(allowTrustedProxy) { + String doAsUserName = httpRequest.getParameter("doAs"); + + if (doAsUserName != null && isTrustedProxyUsers(doAsUserName) && isIpTrusted(httpRequest.getParameter("x-forwarded-host")) ) { +
{code}
* why not have trusted proxy enabled by default
* you may want to consider making the check for doAs user case-insensitive
* not sure you want to use x-forwarded-host here - if there is a LB in front of a trusted proxy like Knox then the x-forwarded-host will be the load balancer. Now, if there is a LB between Knox and Atlas then maybe you do want that - in which case maybe you want to check both. This needs some additional thought but I don't think the above is sufficient.
> Atlas authentication to support proxy-user
> ------------------------------------------
>
> Key: ATLAS-2824
> URL: https://issues.apache.org/jira/browse/ATLAS-2824
> Project: Atlas
> Issue Type: Bug
> Components: atlas-core
> Reporter: Nixon Rodrigues
> Assignee: Nixon Rodrigues
> Priority: Major
> Fix For: 1.2.0, 2.0.0
>
> Attachments: ATLAS-2824.patch
>
>
> Atlas authentication module should support the notion of proxy-user, who would be allowed to perform operations on behalf of other users i.e. impersonate other users - similar to Hadoop as documented [here|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html].
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)