[ https://issues.apache.org/jira/browse/KNOX-2770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sandor Molnar updated KNOX-2770: -------------------------------- Description: *Steps to reproduce* * create a topology with Knox's HadoopAuth filter as the authentication provider and include the KNOXTOKEN service (let's call it {{myKnoxTokenTopology}} in this sample) * make sure the HadoopAuth filter is configured in a way such as it allows the hive users (can be any user, I use hive as a sample) to impersonate hdfs * make sure that token state management is disabled in the KNOXTOKEN service * login to Kerberos as the hive user (kinit using a valid hive keytab) * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. {{curl --negotiate -u : "https://$(hostname -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}} *Actual results* The second call fails with an error message like this: {noformat} { "RemoteException" : { "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" } } {noformat} *Expected results* Both KnoxToken REST API invocations should have succeeded. *Action plan:* * fix the issue of refreshing Hadoop's proxyuser configuration in TokenResource when token state management is disabled * reuse the already existing new service-level configuration called {{knox.token.impersonation.enabled}} that lets us enable/disable the doAs support on the KnoxToken path regardless of the token state management settings was: *Steps to reproduce* * create a topology with Knox's HadoopAuth filter as the authentication provider and include the KNOXTOKEN service (let's call it {{myKnoxTokenTopology}} in this sample) * make sure the HadoopAuth filter is configured in a way such as it allows the hive users (can be any user, I use hive as a sample) to impersonate hdfs * make sure that token state management is disabled in the KNOXTOKEN service * login to Kerberos as the hive user (kinit using a valid hive keytab) * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. {{curl --negotiate -u : "https://$(hostname -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}} *Actual results* The second call fails with an error message like this: {noformat} { "RemoteException" : { "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" } } {noformat} *Expected results* Both KnoxToken REST API invocations should have succeeded. *Action plan:* * fix the issue of refreshing Hadoop's proxyuser configuration in TokenResource when token state management is disabled * reuse the already existing new service-level configuration called {{knox.token.impersonation.enabled}} that let us enable/disable the doAs support on the KnoxToken path regardless of the token state management settings > KnoxToken doAs won't work with HadoopAuth filter > ------------------------------------------------ > > Key: KNOX-2770 > URL: https://issues.apache.org/jira/browse/KNOX-2770 > Project: Apache Knox > Issue Type: Bug > Components: Server > Affects Versions: 2.0.0 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > *Steps to reproduce* > * create a topology with Knox's HadoopAuth filter as the authentication > provider and include the KNOXTOKEN service (let's call it > {{myKnoxTokenTopology}} in this sample) > * make sure the HadoopAuth filter is configured in a way such as it allows > the hive users (can be any user, I use hive as a sample) to impersonate hdfs > * make sure that token state management is disabled in the KNOXTOKEN service > * login to Kerberos as the hive user (kinit using a valid hive keytab) > * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. > {{curl --negotiate -u : "https://$(hostname > -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}} > *Actual results* > The second call fails with an error message like this: > {noformat} > { > "RemoteException" : { > "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs", > "exception" : "AuthorizationException", > "javaClassName" : > "org.apache.hadoop.security.authorize.AuthorizationException" > } > } {noformat} > > *Expected results* > Both KnoxToken REST API invocations should have succeeded. > > *Action plan:* > * fix the issue of refreshing Hadoop's proxyuser configuration in > TokenResource when token state management is disabled > * reuse the already existing new service-level configuration called > {{knox.token.impersonation.enabled}} that lets us enable/disable the doAs > support on the KnoxToken path regardless of the token state management > settings -- This message was sent by Atlassian Jira (v8.20.10#820010)