Thanks Larry. This also seems to affect YARN as well when looking at the YARN UI support in Apache Knox. Same sort of issue: "Logged in as: knox".
Kevin Risden On Thu, May 3, 2018 at 10:10 AM, larry mccay <[email protected]> wrote: > This can only be addressed in Hadoop, AFAICT. > There are so many UIs and even APIs not supporting trusted proxies and it > is really becoming a problem. > > We need to file JIRAs where this support is missing and potentially > provide patches as it seems folks are reluctant to add proper support for > it anymore. > > On Wed, May 2, 2018 at 2:56 PM, Kevin Risden <[email protected]> wrote: > >> There has been quite a bit of work done around enabling Knox and the >> MapReduce Job History server UI. However, I think we are going to run into >> a fundamental problem with the MapReduce Job History server and >> impersonation/doAs. >> >> Based on our research, we found that the MR Job History server doesn't >> support the "doAs" pattern that is used by Knox and Hue. >> >> If I navigate to a topology /jobhistory/ in the top right hand corner is: >> "Logged in as: knox". Knox sends a doAs parameter (just like Hue) and it >> seems like MR Job History server is ignoring this. Ideally the "Logged >> in as:" would be the user who authenticated to Knox and not the user Knox >> is running as (according to Kerberos). >> >> Right now this causes problems for us because the Knox user doesn't have >> access to view the job logs. If I navigate to an attempt log it looks to >> proxy correctly but end up with this error message: >> >> User [knox] is not authorized to view the logs for >> attempt_1525122616004_0164_m_000000_0 in log file >> >> The same type of error happens in Hue when trying to look at job logs. >> >> >> User [hue] is not authorized to view the logs for job_1521053483563_0133 >> in log file >> >> >> It looks like this might have been previously reported as KNOX-747 but >> was closed as can't reproduce. >> >> I don't think this is a problem with Knox but bringing it up here in case >> there are any ideas on workarounds. This might have to be fixed upstream in >> the Hadoop project. >> >> Any ideas on how to move forward with Knox and MapReduce Job History >> server? >> >> Kevin Risden >> > >
