[jira] [Work logged] (KNOX-2672) Handle gateway-level aliases in Hadoop authentication filter

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2672?focusedWorklogId=659347&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-659347
 ]

ASF GitHub Bot logged work on KNOX-2672:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Oct/21 18:29
            Start Date: 03/Oct/21 18:29
    Worklog Time Spent: 10m 
      Work Description: smolnar82 merged pull request #503:
URL: https://github.com/apache/knox/pull/503


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 659347)
    Time Spent: 0.5h  (was: 20m)

> Handle gateway-level aliases in Hadoop authentication filter
> ------------------------------------------------------------
>
>                 Key: KNOX-2672
>                 URL: https://issues.apache.org/jira/browse/KNOX-2672
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The current {{HadoopAuthFilter}} implementation is [capable of handling 
> aliases on topology 
> level|https://github.com/apache/knox/blob/v1.5.0/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java#L267-L275]:
> {noformat}
>         if (value.startsWith("${ALIAS=") && value.endsWith("}")) {
>           String alias = value.substring("${ALIAS=".length(), value.length() 
> - 1);
>           try {
>             value = String.valueOf(
>                 aliasService.getPasswordFromAliasForCluster(clusterName, 
> alias));
>           } catch (AliasServiceException e) {
>             throw new ServletException("Unable to retrieve alias for config: 
> " + name, e);
>           }
>         }
>  {noformat}
> However, this solution is not too flexible: imagine you create a shared 
> provider configuration with the {{HadoopAuth}} provider where you want to use 
> an alias (e.g the keytab file location in Cloudera Manager isn't static, it's 
> relative to the Knox process's directory). At the provider creation time, you 
> don't know the descriptors (topologies) that may reference your newly created 
> shared provider configuration. Thus, you cannot create the desired aliases in 
> advance using the Knox CLI. what you can do is to create an alias on the 
> gateway-level which the HadoopAuth filter should be able to lookup.
> The suggested solution is to extend the above logic as follows: if the 
> topology-level alias is not found, try to get the value from the 
> gateway-level.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)