You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2017/05/02 15:50:37 UTC
Authorization for policy downloads
Hi all,
A quick question for something that is puzzling me. I can download policies
from then Admin service with no credentials like e.g.:
curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop
However, when my kerberized HDFS plugin tries to pull policies down (as the
"hdfs" user), I get an authorization error that the user is not allowed to
download the policies. I have to edit the "cl1_hadoop" configuration and
add the "hdfs" user to the "policy.download.auth.users" property.
Why is this step necessary when I can just download the policies with no
credentials with curl? Are we looking at a security issue here?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Authorization for policy downloads
Posted by Colm O hEigeartaigh <co...@apache.org>.
Thanks Vel. Shouldn't we make sure that "/service/plugins/policies" can't
be invoked unless two way SSL is in place?
Colm.
On Fri, May 12, 2017 at 6:03 PM, Velmurugan Periasamy <ve...@apache.org>
wrote:
> Hi Colm:
>
> In kerberized environments, /service/plugins/secure/policies/download
> should
> be used for download and will be restricted to valid plugins as you pointed
> out. /service/plugins/policies will need to be protected by two way SSL and
> exists for backward compatibility.
>
> Thanks,
> Vel
>
> From: Colm O hEigeartaigh <co...@apache.org>
> Reply-To: "dev@ranger.apache.org" <de...@ranger.apache.org>,
> "coheigea@apache.org" <co...@apache.org>
> Date: Tuesday, May 2, 2017 at 8:50 AM
> To: "dev@ranger.apache.org" <de...@ranger.apache.org>
> Subject: Authorization for policy downloads
>
> Hi all,
>
> A quick question for something that is puzzling me. I can download policies
> from then Admin service with no credentials like e.g.:
>
> curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop
>
> However, when my kerberized HDFS plugin tries to pull policies down (as the
> "hdfs" user), I get an authorization error that the user is not allowed to
> download the policies. I have to edit the "cl1_hadoop" configuration and
> add the "hdfs" user to the "policy.download.auth.users" property.
>
> Why is this step necessary when I can just download the policies with no
> credentials with curl? Are we looking at a security issue here?
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Authorization for policy downloads
Posted by Velmurugan Periasamy <ve...@apache.org>.
Hi Colm:
In kerberized environments, /service/plugins/secure/policies/download should
be used for download and will be restricted to valid plugins as you pointed
out. /service/plugins/policies will need to be protected by two way SSL and
exists for backward compatibility.
Thanks,
Vel
From: Colm O hEigeartaigh <co...@apache.org>
Reply-To: "dev@ranger.apache.org" <de...@ranger.apache.org>,
"coheigea@apache.org" <co...@apache.org>
Date: Tuesday, May 2, 2017 at 8:50 AM
To: "dev@ranger.apache.org" <de...@ranger.apache.org>
Subject: Authorization for policy downloads
Hi all,
A quick question for something that is puzzling me. I can download policies
from then Admin service with no credentials like e.g.:
curl -v http://localhost:6080/service/plugins/policies/download/cl1_hadoop
However, when my kerberized HDFS plugin tries to pull policies down (as the
"hdfs" user), I get an authorization error that the user is not allowed to
download the policies. I have to edit the "cl1_hadoop" configuration and
add the "hdfs" user to the "policy.download.auth.users" property.
Why is this step necessary when I can just download the policies with no
credentials with curl? Are we looking at a security issue here?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com