You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Eric Payne (Jira)" <ji...@apache.org> on 2021/08/19 18:35:00 UTC

[jira] [Created] (HADOOP-17857) Check real user ACLs in addition to proxied user ACLs

Eric Payne created HADOOP-17857:
-----------------------------------

             Summary: Check real user ACLs in addition to proxied user ACLs
                 Key: HADOOP-17857
                 URL: https://issues.apache.org/jira/browse/HADOOP-17857
             Project: Hadoop Common
          Issue Type: Improvement
    Affects Versions: 3.3.1, 2.10.1, 3.2.2
            Reporter: Eric Payne


In a secure cluster, it is possible to configure the services to allow a super-user to proxy to a regular user and perform actions on behalf of the proxied user (see [Proxy user - Superusers Acting On Behalf Of Other Users|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]).

This is useful for automating server access for multiple different users in a multi-tenant cluster. For example, this can be used by a super user submitting jobs to a YARN queue, accessing HDFS files, scheduling Oozie workflows, etc, which will then execute the service as the proxied user.

Usually when these services check ACLs to determine if the user has access to the requested resources, the service only needs to check the ACLs for the proxied user. However, it is sometimes desirable to allow the proxied user to have access to the resources when only the real user has open ACLs.

For instance, let's say the user {{adm}} is the only user with submit ACLs to the {{dataload}} queue, and the {{adm}} user wants to submit apps to the {{dataload}} queue on behalf of users {{headless1}} and {{headless2}}. In addition, we want to be able to bill {{headless1}} and {{headless2}} separately for the YARN resources used in the {{dataload}} queue. In order to do this, the apps need to run in the {{dataload}} queue as the respective headless users. We could open up the ACLs to the {{dataload}} queue to allow {{headless1}} and {{headless2}} to submit apps. But this would allow those users to submit any app to that queue, and not be limited to just the data loading apps, and we don't trust the {{headless1}} and {{headless2}} owners to honor that restriction.

This JIRA proposes that we define a way to set up ACLs to restrict a resource's access to a  super-user, but when the access happens, run it as the proxied user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org