HADOOP-11008. Remove duplicated description about proxy-user in site documents (Masatake Iwasaki via aw)

This commit is contained in:
Allen Wittenauer 2015-01-22 14:30:21 -08:00
parent d34074e237
commit fcf1058b45
4 changed files with 64 additions and 68 deletions

View File

@ -747,6 +747,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11500. InputStream is left unclosed in ApplicationClassLoader. HADOOP-11500. InputStream is left unclosed in ApplicationClassLoader.
(Ted Yu via ozawa) (Ted Yu via ozawa)
HADOOP-11008. Remove duplicated description about proxy-user in site
documents (Masatake Iwasaki via aw)
Release 2.6.0 - 2014-11-18 Release 2.6.0 - 2014-11-18
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -202,58 +202,7 @@ KVNO Timestamp Principal
Some products such as Apache Oozie which access the services of Hadoop Some products such as Apache Oozie which access the services of Hadoop
on behalf of end users need to be able to impersonate end users. on behalf of end users need to be able to impersonate end users.
You can configure proxy user using properties See {{{./Superusers.html}the doc of proxy user}} for details.
<<<hadoop.proxyuser.${superuser}.hosts>>> along with either or both of
<<<hadoop.proxyuser.${superuser}.groups>>>
and <<<hadoop.proxyuser.${superuser}.users>>>.
For example, by specifying as below in core-site.xml,
user named <<<oozie>>> accessing from any host
can impersonate any user belonging to any group.
----
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>*</value>
</property>
----
User named <<<oozie>>> accessing from any host
can impersonate user1 and user2 by specifying as below in core-site.xml.
----
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.users</name>
<value>user1,user2</value>
</property>
----
The <<<hadoop.proxyuser.${superuser}.hosts>>> accepts list of ip addresses,
ip address ranges in CIDR format and/or host names.
For example, by specifying as below in core-site.xml,
user named <<<oozie>>> accessing from hosts in the range
10.222.0.0-15 and 10.113.221.221
can impersonate any user belonging to any group.
----
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>10.222.0.0/16,10.113.221.221</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>*</value>
</property>
----
** Secure DataNode ** Secure DataNode

View File

@ -11,19 +11,19 @@
~~ limitations under the License. See accompanying LICENSE file. ~~ limitations under the License. See accompanying LICENSE file.
--- ---
Superusers Acting On Behalf Of Other Users Proxy user - Superusers Acting On Behalf Of Other Users
--- ---
--- ---
${maven.build.timestamp} ${maven.build.timestamp}
Superusers Acting On Behalf Of Other Users Proxy user - Superusers Acting On Behalf Of Other Users
%{toc|section=1|fromDepth=0} %{toc|section=1|fromDepth=0}
* Introduction * Introduction
This document describes how a superuser can submit jobs or access hdfs This document describes how a superuser can submit jobs or access hdfs
on behalf of another user in a secured way. on behalf of another user.
* Use Case * Use Case
@ -38,9 +38,12 @@ Superusers Acting On Behalf Of Other Users
on a connection authenticated with super's kerberos credentials. In on a connection authenticated with super's kerberos credentials. In
other words super is impersonating the user joe. other words super is impersonating the user joe.
Some products such as Apache Oozie need this.
* Code example * Code example
In this example super's kerberos credentials are used for login and a In this example super's credentials are used for login and a
proxy user ugi object is created for joe. The operations are performed proxy user ugi object is created for joe. The operations are performed
within the doAs method of this proxy user ugi object. within the doAs method of this proxy user ugi object.
@ -63,21 +66,26 @@ Superusers Acting On Behalf Of Other Users
* Configurations * Configurations
The superuser must be configured on namenode and jobtracker to be You can configure proxy user using properties
allowed to impersonate another user. Following configurations are <<<hadoop.proxyuser.${superuser}.hosts>>> along with either or both of
required. <<<hadoop.proxyuser.${superuser}.groups>>>
and <<<hadoop.proxyuser.${superuser}.users>>>.
By specifying as below in core-site.xml,
the superuser named <<<super>>> can connect
only from <<<host1>>> and <<<host2>>>
to impersonate a user belonging to <<<group1>>> and <<<group2>>>.
---- ----
<property>
<name>hadoop.proxyuser.super.groups</name>
<value>group1,group2</value>
<description>Allow the superuser super to impersonate any members of the group group1 and group2</description>
</property>
<property> <property>
<name>hadoop.proxyuser.super.hosts</name> <name>hadoop.proxyuser.super.hosts</name>
<value>host1,host2</value> <value>host1,host2</value>
<description>The superuser can connect only from host1 and host2 to impersonate a user</description>
</property> </property>
<property>
<name>hadoop.proxyuser.super.groups</name>
<value>group1,group2</value>
</property>
---- ----
If these configurations are not present, impersonation will not be If these configurations are not present, impersonation will not be
@ -85,11 +93,47 @@ Superusers Acting On Behalf Of Other Users
If more lax security is preferred, the wildcard value * may be used to If more lax security is preferred, the wildcard value * may be used to
allow impersonation from any host or of any user. allow impersonation from any host or of any user.
For example, by specifying as below in core-site.xml,
user named <<<oozie>>> accessing from any host
can impersonate any user belonging to any group.
----
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>*</value>
</property>
----
The <<<hadoop.proxyuser.${superuser}.hosts>>> accepts list of ip addresses,
ip address ranges in CIDR format and/or host names.
For example, by specifying as below,
user named <<<super>>> accessing from hosts in the range
<<<10.222.0.0-15>>> and <<<10.113.221.221>>> can impersonate
<<<user1>>> and <<<user2>>>.
----
<property>
<name>hadoop.proxyuser.super.hosts</name>
<value>10.222.0.0/16,10.113.221.221</value>
</property>
<property>
<name>hadoop.proxyuser.super.users</name>
<value>user1,user2</value>
</property>
----
* Caveats * Caveats
The superuser must have kerberos credentials to be able to impersonate If the cluster is running in {{{./SecureMode.html}Secure Mode}},
another user. It cannot use delegation tokens for this feature. It the superuser must have kerberos credentials to be able to impersonate
another user.
It cannot use delegation tokens for this feature. It
would be wrong if superuser adds its own delegation token to the proxy would be wrong if superuser adds its own delegation token to the proxy
user ugi, as it will allow the proxy user to connect to the service user ugi, as it will allow the proxy user to connect to the service
with the privileges of the superuser. with the privileges of the superuser.

View File

@ -60,7 +60,7 @@
<menu name="Common" inherit="top"> <menu name="Common" inherit="top">
<item name="CLI Mini Cluster" href="hadoop-project-dist/hadoop-common/CLIMiniCluster.html"/> <item name="CLI Mini Cluster" href="hadoop-project-dist/hadoop-common/CLIMiniCluster.html"/>
<item name="Native Libraries" href="hadoop-project-dist/hadoop-common/NativeLibraries.html"/> <item name="Native Libraries" href="hadoop-project-dist/hadoop-common/NativeLibraries.html"/>
<item name="Superusers" href="hadoop-project-dist/hadoop-common/Superusers.html"/> <item name="Proxy User" href="hadoop-project-dist/hadoop-common/Superusers.html"/>
<item name="Secure Mode" href="hadoop-project-dist/hadoop-common/SecureMode.html"/> <item name="Secure Mode" href="hadoop-project-dist/hadoop-common/SecureMode.html"/>
<item name="Service Level Authorization" href="hadoop-project-dist/hadoop-common/ServiceLevelAuth.html"/> <item name="Service Level Authorization" href="hadoop-project-dist/hadoop-common/ServiceLevelAuth.html"/>
<item name="HTTP Authentication" href="hadoop-project-dist/hadoop-common/HttpAuthentication.html"/> <item name="HTTP Authentication" href="hadoop-project-dist/hadoop-common/HttpAuthentication.html"/>