Sandor Molnar created KNOX-2831:
-----------------------------------
Summary: Knox token impersonation in multiple topologies
Key: KNOX-2831
URL: https://issues.apache.org/jira/browse/KNOX-2831
Project: Apache Knox
Issue Type: Task
Components: Server
Affects Versions: 2.0.0
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 2.0.0
With KNOX-2714, users can create tokens on behalf of others by configuring
[Knox Token
Impersonation|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Token+impersonation]
in the {{KNOXTOKEN}} service.
However, when there are multiple topologies with the {{KNOXTOKEN}} service and
they have different proxyuser configurations the feature breaks as follows:
- {{topology1}} enables {{user1}} to create tokens for {{targetUser1}}
- {{topology2}} enables {{user2} to create tokens for {{targetUser2}}
Let's see this flow:
# get a token for {{targetUser1}} by {{user1}} - this succeeds
# get a token for {{targetUser2}} by {{user2}} - this succeeds
# get another token for {{targetUser1}} by {{user1}} - this fails
The reason is that Knox's {{KNOXTOKEN}} service uses Hadoop's
{{ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String
proxyUserPrefix)}} which the 2nd call overrides in the {{init}} method of that
servlet. So the 3rd call will fail because the previous configuration on that
topology is lost.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
