This can only be addressed in Hadoop, AFAICT. There are so many UIs and even APIs not supporting trusted proxies and it is really becoming a problem.
We need to file JIRAs where this support is missing and potentially provide patches as it seems folks are reluctant to add proper support for it anymore. On Wed, May 2, 2018 at 2:56 PM, Kevin Risden <[email protected]> wrote: > There has been quite a bit of work done around enabling Knox and the > MapReduce Job History server UI. However, I think we are going to run into > a fundamental problem with the MapReduce Job History server and > impersonation/doAs. > > Based on our research, we found that the MR Job History server doesn't > support the "doAs" pattern that is used by Knox and Hue. > > If I navigate to a topology /jobhistory/ in the top right hand corner is: > "Logged > in as: knox". Knox sends a doAs parameter (just like Hue) and it seems like > MR Job History server is ignoring this. Ideally the "Logged in as:" would > be the user who authenticated to Knox and not the user Knox is running as > (according to Kerberos). > > Right now this causes problems for us because the Knox user doesn't have > access to view the job logs. If I navigate to an attempt log it looks to > proxy correctly but end up with this error message: > > User [knox] is not authorized to view the logs for > attempt_1525122616004_0164_m_000000_0 in log file > > The same type of error happens in Hue when trying to look at job logs. > > > User [hue] is not authorized to view the logs for job_1521053483563_0133 > in log file > > > It looks like this might have been previously reported as KNOX-747 but was > closed as can't reproduce. > > I don't think this is a problem with Knox but bringing it up here in case > there are any ideas on workarounds. This might have to be fixed upstream in > the Hadoop project. > > Any ideas on how to move forward with Knox and MapReduce Job History > server? > > Kevin Risden >
