Hmm, I see.. On our part though, trying to get a proof of concept up and running, can we deploy a rewrite function or dispatch as a separate "plugin" though, in our existing Knox installation?
We ran into another issue too, that a Livy "valid" 404 response (trying to DELETE a session that's already gone) turns into a 500 from Knox, so I suspect we need to handle that similarly.. On tor 31 aug. 2017 16:31 larry mccay <[email protected]> wrote: > I don't believe there is any way to inject that currently it will likely > require a rewrite function or specialized dispatch. > > Livy needs to support the proper trusted proxy pattern used by other > services. > > > On Aug 31, 2017 6:23 AM, "Johan Wärlander" <[email protected]> wrote: > > We've been able to set up Knox to route Livy requests, and it's working > mostly as expected; when creating a new Spark session via a POST request > with a JSON body, Knox has a rewrite rule that modifies the "proxyUser" in > the JSON body, making sure you can only act as the user you authenticated > to Knox with: > > From service.xml: > > <route path="/livy/v1/sessions"> > <rewrite apply="LIVYSERVER/livy/addusername/inbound" to="request.body"/> > </route> > > From rewrite.xml: > > <filter name="LIVYSERVER/livy/addusername/inbound"> > <content type="*/json"> > <apply path="$.proxyUser" rule="LIVYSERVER/livy/user-name"/> > </content> > </filter> > > Example of a request: > > curl -u johwar -v -s --data '{"proxyUser":"foobar","kind": "pyspark"}' -H > "Content-Type: application/json" > https://myknoxserver/gateway/default/livy/v1/sessions > > This works fine, and "foobar" above gets replaced with "johwar" before the > request reaches Livy. > > However, if you *don't* pass "proxyUser" at all in the request, this rule > doesn't seem to *add* the element, so it ends up as "knox" on the Livy end; > it's probably defaulting to the Kerberos-authenticated user, which is of > course "knox". > > Is there a way to make sure that "proxyUser" is modified if it exists (as > above) AND added if it's missing? > > NOTE: For our full config, we followed the example below: > > > https://community.hortonworks.com/articles/70499/adding-livy-server-as-service-to-apache-knox.html > > >
