[
https://issues.apache.org/jira/browse/KNOX-2612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17356601#comment-17356601
]
Rohan Nimmagadda edited comment on KNOX-2612 at 6/7/21, 7:47 PM:
-----------------------------------------------------------------
it was working fine with Hadoop 3.2 + knox webHDFS , we started seeing Knox
webHDFS issue with Hadoop 3.3
the namenode API is working only when we set user.name flag but knox is
dispatching the doAs flag when we hitting webHDFS via knox endpoint, it would
be nice if knox support user.name flag as well for webHDFS
working nameNode API
{{curl -u :
"}}{{[http://namenode:port/webhdfs/v1/tmp/?user.name=user&op=LISTSTATUS|http://drcn1010.target.com:9870/webhdfs/v1/tmp/?user.name=z003k8q&op=LISTSTATUS]}}{{"}}
We are expecting to work same with Knox endpoint as well but its throughing an
error
curl -v -s -ik -u user:'pass' curl
"[https://knoxhost:8443/gateway/default/webhdfs/v1/tmp/?user.name=user&op=LISTSTATUS]
{code:java}
2021-06-07 13:11:58,773 DEBUG knox.gateway
(UrlRewriteProcessor.java:rewrite(164)) - Rewrote URL:
https://Knox:8443/gateway/default/webhdfs/v1/tmp/?user.name=user&op=LISTSTATUS,
direction: IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/file to URL:
http://namenode:port/webhdfs/v1/tmp?user.name=user&op=LISTSTATUS
2021-06-07 13:11:58,773 WARN knox.gateway
(IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(202))
- Possible identity spoofing attempt - impersonation parameter removed:
user.name
2021-06-07 13:11:58,774 DEBUG knox.gateway
(DefaultDispatch.java:executeOutboundRequest(115)) - Dispatch request: GET
http://namenode:port/webhdfs/v1/tmp?op=LISTSTATUS&doAs=hdfs
2021-06-07 13:11:58,777 DEBUG knox.gateway
(DefaultDispatch.java:executeOutboundRequest(128)) - Dispatch response status:
403
{code}
Knox webHDFS API is not working either with user.name , doAs or without any
flags getting same expectation
{code:java}
{"RemoteException":\{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Security enabled but
user not authenticated by filter"}
}
{code}
was (Author: rohannimmagadda):
it was working fine with Hadoop 3.2 + knox webHDFS , we started seeing Knox
webHDFS issue with Hadoop 3.3
the namenode API works fine with curl request
{{curl -u :
"}}{{[http://namenode:port/webhdfs/v1/tmp/?user.name=user&op=LISTSTATUS|http://drcn1010.target.com:9870/webhdfs/v1/tmp/?user.name=z003k8q&op=LISTSTATUS]}}{{"}}
We are expecting to work same with Knox endpoint as well but its throughing an
error
curl -v -s -ik -u user:'pass' curl
"https://knoxhost:8443/gateway/default/webhdfs/v1/tmp/?user.name=user&op=LISTSTATUS
Knox webHDFS API is not working either with user.name , doAs or without any
flags getting same expectation
{code:java}
{"RemoteException":\{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Security enabled but
user not authenticated by filter"}
}
{code}
> Knox + webHDFS is not working with Hadoop 3.3
> ----------------------------------------------
>
> Key: KNOX-2612
> URL: https://issues.apache.org/jira/browse/KNOX-2612
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxSSO, Server
> Affects Versions: 1.4.0, 1.5.0
> Reporter: Rohan Nimmagadda
> Priority: Blocker
>
> Hadoop 3.3 Webhdfs is not working with Knox end point getting below exception
> Tried hadoop side of things by changing hadoop.http.filter.initializers in
> core-site to default AuthFilter and
> org.apache.hadoop.security.AuthenticationFilterInitializer value
> result shows same having issues with webHDFS
> Knox Webhdfs API :
> [https://knoxhost:8443/gateway/default/webhdfs/v1/tmp/?|https://drcn1003.target.com:8443/gateway/bigred/webhdfs/v1/tmp/?]
> &op=LISTSTATUS
> {"RemoteException":\{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Security enabled but
> user not authenticated by filter"}}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
