[
https://issues.apache.org/jira/browse/KNOX-2770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-2770:
--------------------------------
Description:
*Steps to reproduce*
* create a topology with Knox's HadoopAuth filter as the authentication
provider and include the KNOXTOKEN service (let's call it
{{myKnoxTokenTopology}} in this sample)
* make sure the HadoopAuth filter is configured in a way such as it allows the
hive users (can be any user, I use hive as a sample) to impersonate hdfs
* make sure that token state management is disabled in the KNOXTOKEN service
* login to Kerberos as the hive user (kinit using a valid hive keytab)
* try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. {{curl
--negotiate -u : "https://$(hostname
-f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}}
*Actual results*
The second call fails with an error message like this:
{noformat}
{
"RemoteException" : {
"message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
} {noformat}
*Expected results*
Both KnoxToken REST API invocations should have succeeded.
*Action plan:*
* fix the issue of refreshing Hadoop's proxyuser configuration in
TokenResource when token state management is disabled
* reuse the already existing new service-level configuration called
{{knox.token.impersonation.enabled}} that let us enable/disable the doAs
support on the KnoxToken path regardless of the token state management settings
was:
*Steps to reproduce*
* create a topology with Knox's HadoopAuth filter as the authentication
provider and include the KNOXTOKEN service (let's call it
{{myKnoxTokenTopology}} in this sample)
* make sure the HadoopAuth filter is configured in a way such as it allows the
hive users (can be any user, I use hive as a sample) to impersonate hdfs
* make sure that token state management is disabled in the KNOXTOKEN service
* login to Kerberos as the hive user (kinit using a valid hive keytab)
* try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. {{curl
--negotiate -u : "https://$(hostname
-f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}}
*Actual results*
The second call fails with an error message like this:
{noformat}
{
"RemoteException" : {
"message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
} {noformat}
*Expected results*
Both KnoxToken REST API invocations should have succeeded.
*Action plan:*
* fix the issue of refreshing Hadoop's proxyuser configuration in
TokenResource when token state management is disabled
* introduce a new service-level configuration that let us enable/disable the
doAs support on the KnoxToken path regardless of the token state management
settings
> KnoxToken doAs won't work with HadoopAuth filter
> ------------------------------------------------
>
> Key: KNOX-2770
> URL: https://issues.apache.org/jira/browse/KNOX-2770
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * create a topology with Knox's HadoopAuth filter as the authentication
> provider and include the KNOXTOKEN service (let's call it
> {{myKnoxTokenTopology}} in this sample)
> * make sure the HadoopAuth filter is configured in a way such as it allows
> the hive users (can be any user, I use hive as a sample) to impersonate hdfs
> * make sure that token state management is disabled in the KNOXTOKEN service
> * login to Kerberos as the hive user (kinit using a valid hive keytab)
> * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g.
> {{curl --negotiate -u : "https://$(hostname
> -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}}
> *Actual results*
> The second call fails with an error message like this:
> {noformat}
> {
> "RemoteException" : {
> "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
> "exception" : "AuthorizationException",
> "javaClassName" :
> "org.apache.hadoop.security.authorize.AuthorizationException"
> }
> } {noformat}
>
> *Expected results*
> Both KnoxToken REST API invocations should have succeeded.
>
> *Action plan:*
> * fix the issue of refreshing Hadoop's proxyuser configuration in
> TokenResource when token state management is disabled
> * reuse the already existing new service-level configuration called
> {{knox.token.impersonation.enabled}} that let us enable/disable the doAs
> support on the KnoxToken path regardless of the token state management
> settings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
