Thomas Tauber-Marshall created KNOX-2026:
--------------------------------------------
Summary: Accept Impala's authentication cookies
Key: KNOX-2026
URL: https://issues.apache.org/jira/browse/KNOX-2026
Project: Apache Knox
Issue Type: Task
Components: Server
Reporter: Thomas Tauber-Marshall
With the Impala service definitions that were recently added, it would be nice
if Knox would accept and return the authentication cookies that Impala
generates.
As far as I can tell, they are not currently being accepted due to failing the
two checks here:
https://github.com/apache/knox/blob/master/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java#L67
For the first check, isAuthCookie(), its fairly easy to add Impala's cookie
name (impala.auth), to the options.
For the second check, isKnoxCookie(), which appears to have been added in
KNOX-1341, Knox requires a very specific cookie format. While Impala uses the
same basic scheme for generating cookies as Hadoop, the precise format is
slightly different, so we fail the check. I can see a few options for fixing
this:
- Update Impala to use the exact same cookie format as Hadoop. This is
relatively easy, but it seems overly restrictive to me to require that all
components use the exact same cookie format, and could cause headaches if
Impala or any other components ever needs to modify their cookie format.
- Make the isKnoxCookie() check more permissive. The simplest thing would be to
just check that the Knox principal is present somewhere in the cookie value,
which should accept any cookie that uses the basic format of having a sequence
of values, including the authenticated username/principal, along with an HMAC.
It seems unlikely to me that would result in storing any undesired cookies, but
if its too permissive another option would be to make the format dependent on
the cookie name.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
