Configuring proxy authentication
Learn about the properties that you need to set for configuring proxy authentication.
efm.security.user.proxy.enabled=true
efm.security.user.proxy.headerName=x-webauth-user
efm.security.user.proxy.ipWhitelist=
efm.security.user.proxy.dnWhitelist[0]=
efm.security.user.proxy.enabled
Whether proxy authentication is enabled.
efm.security.user.proxy.headerName
Case-insensitive header name set by the proxy holding the end user identity.
efm.security.user.proxy.ipWhitelist
Limits trusted proxy IP addresses to prevent spoofing the user header. Comma-separated or multiple properties using the ipWhitelist[n] syntax:
efm.security.user.proxy.ipWhitelist[0]=
efm.security.user.proxy.ipWhitelist[1]=
efm.security.user.proxy.dnWhitelist[0]..[n]
Limits trusted proxy client certificate DNs to prevent spoofing the user header. Use the
dnWhitelist[n]
syntax as it is common for certificate DNs to contain commas.
If you are using proxy authentication, Cloudera strongly recommends that you use either the DN whitelist or IP whitelist feature to specify trusted reverse proxies. If you are not using a whitelist, it is assumed that you are using some other networking mechanism to ensure that all authenticated requests are coming from a trusted client, such as only binding the EFM server to localhost and running the authenticating proxy on the same machine on a different network interface.
The following is a curl example of passing the proxy user header to the
/api/access
endpoint that returns the recognized current user:
curl -H "X-WEBAUTH-USER: alice"
https://localhost:10090/efm/api/access
# Response:
{"identity":"alice","anonymous":false}
As you can see, this header can be added to any request, which is why DN whitelisting, IP whitelisting, or localhost binding should be used with proxy authentication.