You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "zhiyong zhang (JIRA)" <ji...@apache.org> on 2009/05/29 06:06:45 UTC

[jira] Updated: (HADOOP-5851) proxy to call LDAP for IP lookup and get user ID and directories, validate requested URL

     [ https://issues.apache.org/jira/browse/HADOOP-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

zhiyong zhang updated HADOOP-5851:
----------------------------------

    Attachment: HADOOP-5851.patch

a) add another filter code named LdapIpDirFilter.java, will be installed as a deployment descriptor (in web.xml).

b) program flowchart.
      1. IP = HttpServletRequest.getRemoteAddr()
      2. Ldap.search(uniqueMember:cn=IP) to find role. 
          2.a. if nothing found, 403 return
      3. role A was found, from role A, extract userId and HDFS root paths allowed, say PLIST. 
      4. log userId. 
      5. get PATH = HttpServletRequest.getPathInfo()
      6. check if PATH or its parents is in PLIST
          6.a. if not, 403 return.
      7. access allowed, filter pass

c) use a Dummy LDAP Object server to do the unit test.

> proxy to call LDAP for IP lookup and get user ID and directories, validate requested URL
> ----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-5851
>                 URL: https://issues.apache.org/jira/browse/HADOOP-5851
>             Project: Hadoop Core
>          Issue Type: New Feature
>          Components: contrib/hdfsproxy
>            Reporter: zhiyong zhang
>            Assignee: zhiyong zhang
>            Priority: Critical
>         Attachments: HADOOP-5851.patch
>
>
> It is easy to manage user accounts using LDAP. by adding support for LDAP, proxy can do IP authorization in a headless fashion. 
> when a user send a request, proxy extract IP address and request PathInfo from the request. then it searches the LDAP server to get the allowed HDFS root paths given the IP address. Proxy will match the user request PathInfo with the allowed HDFS root path, return 403 if it could not find a match. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.