You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/12/02 21:30:00 UTC

[jira] [Created] (AMBARI-24985) Handle requests from a configured trusted proxy to identify a proxied user using Kerberos

Robert Levas created AMBARI-24985:
-------------------------------------

             Summary: Handle requests from a configured trusted proxy to identify a proxied user using Kerberos
                 Key: AMBARI-24985
                 URL: https://issues.apache.org/jira/browse/AMBARI-24985
             Project: Ambari
          Issue Type: Task
          Components: ambari-server
    Affects Versions: 2.8.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.8.0


Handle requests from a configured trusted proxy to identify a proxied user using Kerberos.

Upon receiving a request where that caller is identified using Kerberos, check to see of the request was from a (trusted) proxy.  If so, validate the trusted proxy and set the authenticated user to the proxied user specified in the "{{doAs}}" query parameter. 

After receiving a request where the user is to be authenticated using Kerberos, perform the following steps:
# Determine if a proxied user is specified using a "{{doAs}}" query parameter.  
# Using the following Ambari configuration property, determine if a proxied user can be specified from the requesting host:
** {{ambari.tproxy.proxyuser.$username.hosts}}, where $username is the username of the authenticated user (not the user specified in the doAs query parameter)
# Obtain the proxied username from the {{doAs}} query parameter
# Using the following Ambari configuration property, determine if the proxied user can be specified based on the user's username:
** {{ambari.tproxy.proxyuser.$username.users}}, where $username is the username of the authenticated user 
# Using the following Ambari configuration property, determine if the proxied user can be specified based on the groups the proxied user belong to:
** {{ambari.tproxy.proxyuser.$username.groups}}, where $username is the username of the authenticated user t



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)