Hi Lian…. This seems to be more of a Knox/Ranger question. Here is a response from Larry from the Knox team. Can you send further questions on this topic to the Knox mailing list - [email protected]<mailto:[email protected]>.
On Jun 11, 2018, at 2:49 PM, Larry McCay <[email protected]<http://lt;[email protected]>> wrote: Hi Lian - You will find that a number of services force the use of the Anonymous authentication provider through their service definition. {GATEWAY_HOME}/data/services/service-name/version/service.xml This is generally done for one or both of the following reasons: 1. the service in question does not support the trusted proxy model and impersonation via doas which is prevalent in the Hadoop ecosystem 2. the service in question provides it’s own authentication mechanism/login page and doesn’t want Knox to ever handle the authentication for it For the latter, it is perfectly reasonable to add a permissive policy for the anonymous user to Ranger in order to allow the request to reach the backend service so that it can do the authentication. For the former in the absence of their own authentication mechanism, you would want to carefully consider whether you want to provide anonymous access to a give UI or service and what data and functionality may be exposed by such anonymous access. HTH, —larry From: Lian Jiang <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Monday, June 11, 2018 at 2:36 PM To: "[email protected]" <[email protected]> Subject: knox cannot resolve user principal Hi, I have setup ranger and knox for my HDP 2.6 cluster. Interesting, by using the same user and password, I can access webhdfs service via knox but cannot access other services in the same topology as webhdfs. The reason is that knox gets the correct principal for webhdfs but gets anonymous for other services. Any idea why this could happen? Thanks.
