[
https://issues.apache.org/jira/browse/HADOOP-16354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16860140#comment-16860140
]
Eric Yang edited comment on HADOOP-16354 at 6/10/19 4:44 PM:
-------------------------------------------------------------
[~Prabhu Joseph] Test case 2 is mixed for normal distcp, and accessing distcp
via knox gateway. However, doAs flag is missing when requesting delegation
token. Hence, the token returned from webhdfs is owned by Knox user instead of
ambari-qa.
We can refine the test into two separate tests.
h2. 2.1 Knox obtain delegation token for end user for cross knox distcp
The test must be written as:
{code}
[knox@pjosephdocker-1 hadoop]$ curl --negotiate -u :
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs&doAs=ambari-qa";
{"Token":{"urlString":"hash of delegation token for ambari-qa user"}}
{code}
{code}
[ambari-qa@pjosephdocker-1 ~]$ curl
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/user/ambari-qa?op=GETFILESTATUS&delegation=hash
of delegation token for ambari-qa user"
{code}
The key difference is in obtaining GETDELEGATIONTOKEN operation and doAs flag
needs to work together for knox to obtain a valid toke for the end user. In
the past, we allow doas= and also doAs=, this was a case insensitive flag.
h2. 2.2 Normal operation to get delegation token as end user for distcp
{code}
[ambari-qa@pjosephdocker-1 ~]$ curl --negotiate -u :
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs";
{"Token":{"urlString":"hash of ambari-qa delegation token"}}
{code}
{code}
[ambari-qa@pjosephdocker-1 ~]$ curl
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/user/ambari-qa?op=GETFILESTATUS&delegation=hash
of ambari-qa delegation token"
{"FileStatus":{"accessTime":0,"blockSize":0,"childrenNum":0,"fileId":1394411,"group":"hadoop","length":0,"modificationTime":1559980208213,"owner":"knox","pathSuffix":"","permission":"755","replication":0,"storagePolicy":0,"type":"DIRECTORY"}}
{code}
The test case 2.1 must work in AuthFilter regardless if
ProxyUserAuthenticationFilter or AuthenticationFilter is configured to maintain
backward compatibility.
was (Author: eyang):
[~Prabhu Joseph] Test case 2 is mixed for getting delegation token, and
accessing via knox gateway. However, doAs flag is missing when requesting
delegation token. Hence, the token returned from webhdfs is owned by Knox user
instead of ambari-qa.
We can refine the test into two separate tests.
h2. 2.1 Knox obtain delegation token for end user for cross knox distcp
The test must be written as:
{code}
[knox@pjosephdocker-1 hadoop]$ curl --negotiate -u :
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs&doAs=ambari-qa";
{"Token":{"urlString":"hash of delegation token for ambari-qa user"}}
{code}
{code}
[ambari-qa@pjosephdocker-1 ~]$ curl
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/user/ambari-qa?op=GETFILESTATUS&delegation=hash
of delegation token for ambari-qa user"
{code}
The key difference is in obtaining GETDELEGATIONTOKEN operation and doAs flag
needs to work together for knox to obtain a valid toke for the end user. In
the past, we allow doas= and also doAs=, this was a case insensitive flag.
h2. 2.2 Normal operation to get delegation token as end user for distcp
{code}
[ambari-qa@pjosephdocker-1 ~]$ curl --negotiate -u :
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&renewer=hdfs";
{"Token":{"urlString":"hash of ambari-qa delegation token"}}
{code}
{code}
[ambari-qa@pjosephdocker-1 ~]$ curl
"http://pjosephdocker-1.openstacklocal:50070/webhdfs/v1/user/ambari-qa?op=GETFILESTATUS&delegation=hash
of ambari-qa delegation token"
{"FileStatus":{"accessTime":0,"blockSize":0,"childrenNum":0,"fileId":1394411,"group":"hadoop","length":0,"modificationTime":1559980208213,"owner":"knox","pathSuffix":"","permission":"755","replication":0,"storagePolicy":0,"type":"DIRECTORY"}}
{code}
The test case 2.1 must work in AuthFilter regardless if
ProxyUserAuthenticationFilter or AuthenticationFilter is configured to maintain
backward compatibility.
> Enable AuthFilter as default for WebHdfs
> ----------------------------------------
>
> Key: HADOOP-16354
> URL: https://issues.apache.org/jira/browse/HADOOP-16354
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.3.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16354-001.patch, HADOOP-16354-002.patch,
> HADOOP-16354-003.patch
>
>
> HADOOP-16314 provides an generic option to configure
> ProxyUserAuthenticationFilterInitializer (Kerberos + doAs support) for all
> the services. If this is not configured, AuthenticationFIlter is used for
> NameNode UI and WebHdfs. Will enable AuthFilter as default for WebHdfs so
> that it is backward compatible.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
