You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2018/12/03 18:08:00 UTC

[jira] [Commented] (AMBARI-24985) Handle requests from a configured trusted proxy to identify a proxied user using Kerberos

    [ https://issues.apache.org/jira/browse/AMBARI-24985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16707604#comment-16707604 ] 

Hudson commented on AMBARI-24985:
---------------------------------

FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #10349 (See [https://builds.apache.org/job/Ambari-trunk-Commit/10349/])
[AMBARI-24985] Handle requests from a configured trusted proxy to (github: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=b6a33413e518a20e186609996b34671d33573c51])
* (edit) ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHelperImplTest.java
* (edit) ambari-server/src/test/java/org/apache/ambari/server/utils/RequestUtilsTest.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/api/predicate/QueryLexer.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariUserDetailsImpl.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/jwt/AmbariJwtAuthenticationProvider.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationProvider.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariUserAuthorizationFilter.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilter.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariProxyUserKerberosDetailsImpl.java
* (add) ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariProxiedUserDetailsServiceTest.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/pam/AmbariPamAuthenticationProvider.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/tproxy/TrustedProxyAuthenticationNotAllowedException.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariBasicAuthenticationFilter.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariUserDetails.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariAuthToLocalUserDetailsService.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariProxyUserDetails.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/utils/RequestUtils.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/tproxy/AmbariTProxyConfiguration.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/tproxy/TrustedProxyAuthenticationDetails.java
* (edit) ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariProxyUserDetailsImpl.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariProxiedUserDetailsImpl.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/kerberos/AmbariProxiedUserDetailsService.java
* (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/AmbariLocalAuthenticationProvider.java
* (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authentication/kerberos/AmbariKerberosAuthenticationFilterTest.java
* (add) ambari-server/src/main/java/org/apache/ambari/server/security/authentication/tproxy/TrustedProxyAuthenticationDetailsSource.java


> Handle requests from a configured trusted proxy to identify a proxied user using Kerberos
> -----------------------------------------------------------------------------------------
>
>                 Key: AMBARI-24985
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24985
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server
>    Affects Versions: 2.8.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Major
>              Labels: pull-request-available, tproxy
>             Fix For: 2.8.0
>
>          Time Spent: 2h
>  Remaining Estimate: 0h
>
> Handle requests from a configured trusted proxy to identify a proxied user using Kerberos.
> Upon receiving a request where that caller is identified using Kerberos, check to see of the request was from a (trusted) proxy.  If so, validate the trusted proxy and set the authenticated user to the proxied user specified in the "{{doAs}}" query parameter. 
> After receiving a request where the user is to be authenticated using Kerberos, perform the following steps:
> # Determine if a proxied user is specified using a "{{doAs}}" query parameter.  
> # Using the following Ambari configuration property, determine if a proxied user can be specified from the requesting host:
> ** {{ambari.tproxy.proxyuser.$username.hosts}}, where $username is the username of the authenticated user (not the user specified in the doAs query parameter)
> # Obtain the proxied username from the {{doAs}} query parameter
> # Using the following Ambari configuration property, determine if the proxied user can be specified based on the user's username:
> ** {{ambari.tproxy.proxyuser.$username.users}}, where $username is the username of the authenticated user 
> # Using the following Ambari configuration property, determine if the proxied user can be specified based on the groups the proxied user belong to:
> ** {{ambari.tproxy.proxyuser.$username.groups}}, where $username is the username of the authenticated user t



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)