diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index aaa70417e9a..47eaf7b550d 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -747,6 +747,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11500. InputStream is left unclosed in ApplicationClassLoader. (Ted Yu via ozawa) + HADOOP-11008. Remove duplicated description about proxy-user in site + documents (Masatake Iwasaki via aw) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm index 0a11bef9898..02352197e5f 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/SecureMode.apt.vm @@ -202,58 +202,7 @@ KVNO Timestamp Principal Some products such as Apache Oozie which access the services of Hadoop on behalf of end users need to be able to impersonate end users. - You can configure proxy user using properties - <<>> along with either or both of - <<>> - and <<>>. - - For example, by specifying as below in core-site.xml, - user named <<>> accessing from any host - can impersonate any user belonging to any group. - ----- - - hadoop.proxyuser.oozie.hosts - * - - - hadoop.proxyuser.oozie.groups - * - ----- - - User named <<>> accessing from any host - can impersonate user1 and user2 by specifying as below in core-site.xml. - ----- - - hadoop.proxyuser.oozie.hosts - * - - - hadoop.proxyuser.oozie.users - user1,user2 - ----- - - The <<>> accepts list of ip addresses, - ip address ranges in CIDR format and/or host names. - - For example, by specifying as below in core-site.xml, - user named <<>> accessing from hosts in the range - 10.222.0.0-15 and 10.113.221.221 - can impersonate any user belonging to any group. - ----- - - hadoop.proxyuser.oozie.hosts - 10.222.0.0/16,10.113.221.221 - - - hadoop.proxyuser.oozie.groups - * - ----- + See {{{./Superusers.html}the doc of proxy user}} for details. ** Secure DataNode diff --git a/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm index f9408846435..78ed9a49c90 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/Superusers.apt.vm @@ -11,19 +11,19 @@ ~~ limitations under the License. See accompanying LICENSE file. --- - Superusers Acting On Behalf Of Other Users + Proxy user - Superusers Acting On Behalf Of Other Users --- --- ${maven.build.timestamp} -Superusers Acting On Behalf Of Other Users +Proxy user - Superusers Acting On Behalf Of Other Users %{toc|section=1|fromDepth=0} * Introduction This document describes how a superuser can submit jobs or access hdfs - on behalf of another user in a secured way. + on behalf of another user. * Use Case @@ -38,9 +38,12 @@ Superusers Acting On Behalf Of Other Users on a connection authenticated with super's kerberos credentials. In other words super is impersonating the user joe. + Some products such as Apache Oozie need this. + + * Code example - In this example super's kerberos credentials are used for login and a + In this example super's credentials are used for login and a proxy user ugi object is created for joe. The operations are performed within the doAs method of this proxy user ugi object. @@ -63,21 +66,26 @@ Superusers Acting On Behalf Of Other Users * Configurations - The superuser must be configured on namenode and jobtracker to be - allowed to impersonate another user. Following configurations are - required. + You can configure proxy user using properties + <<>> along with either or both of + <<>> + and <<>>. + + By specifying as below in core-site.xml, + the superuser named <<>> can connect + only from <<>> and <<>> + to impersonate a user belonging to <<>> and <<>>. ---- - - hadoop.proxyuser.super.groups - group1,group2 - Allow the superuser super to impersonate any members of the group group1 and group2 - hadoop.proxyuser.super.hosts host1,host2 - The superuser can connect only from host1 and host2 to impersonate a user + + hadoop.proxyuser.super.groups + group1,group2 + + ---- If these configurations are not present, impersonation will not be @@ -85,11 +93,47 @@ Superusers Acting On Behalf Of Other Users If more lax security is preferred, the wildcard value * may be used to allow impersonation from any host or of any user. + For example, by specifying as below in core-site.xml, + user named <<>> accessing from any host + can impersonate any user belonging to any group. + +---- + + hadoop.proxyuser.oozie.hosts + * + + + hadoop.proxyuser.oozie.groups + * + +---- + + The <<>> accepts list of ip addresses, + ip address ranges in CIDR format and/or host names. + For example, by specifying as below, + user named <<>> accessing from hosts in the range + <<<10.222.0.0-15>>> and <<<10.113.221.221>>> can impersonate + <<>> and <<>>. + +---- + + hadoop.proxyuser.super.hosts + 10.222.0.0/16,10.113.221.221 + + + hadoop.proxyuser.super.users + user1,user2 + +---- + * Caveats - The superuser must have kerberos credentials to be able to impersonate - another user. It cannot use delegation tokens for this feature. It + If the cluster is running in {{{./SecureMode.html}Secure Mode}}, + the superuser must have kerberos credentials to be able to impersonate + another user. + + It cannot use delegation tokens for this feature. It would be wrong if superuser adds its own delegation token to the proxy user ugi, as it will allow the proxy user to connect to the service with the privileges of the superuser. diff --git a/hadoop-project/src/site/site.xml b/hadoop-project/src/site/site.xml index 637f7ebefa2..6fa66484c04 100644 --- a/hadoop-project/src/site/site.xml +++ b/hadoop-project/src/site/site.xml @@ -60,7 +60,7 @@ - +