There has been quite a bit of work done around enabling Knox and the MapReduce Job History server UI. However, I think we are going to run into a fundamental problem with the MapReduce Job History server and impersonation/doAs.
Based on our research, we found that the MR Job History server doesn't support the "doAs" pattern that is used by Knox and Hue. If I navigate to a topology /jobhistory/ in the top right hand corner is: "Logged in as: knox". Knox sends a doAs parameter (just like Hue) and it seems like MR Job History server is ignoring this. Ideally the "Logged in as:" would be the user who authenticated to Knox and not the user Knox is running as (according to Kerberos). Right now this causes problems for us because the Knox user doesn't have access to view the job logs. If I navigate to an attempt log it looks to proxy correctly but end up with this error message: User [knox] is not authorized to view the logs for attempt_1525122616004_0164_m_000000_0 in log file The same type of error happens in Hue when trying to look at job logs. User [hue] is not authorized to view the logs for job_1521053483563_0133 in log file It looks like this might have been previously reported as KNOX-747 but was closed as can't reproduce. I don't think this is a problem with Knox but bringing it up here in case there are any ideas on workarounds. This might have to be fixed upstream in the Hadoop project. Any ideas on how to move forward with Knox and MapReduce Job History server? Kevin Risden
