jaehoon ko created KNOX-440:
-------------------------------
Summary: HttpFS impersonation issue
Key: KNOX-440
URL: https://issues.apache.org/jira/browse/KNOX-440
Project: Apache Knox
Issue Type: Bug
Components: Site
Affects Versions: 0.4.0
Reporter: jaehoon ko
When NameNode High Availability is enabled, KNOX should be integrated with
HttpFS, not WebHDFS. KNOX puts 'doAs=username' to impersonate a user against
HttpFS. Problem is that HttpFS does not recognize 'doAs', resulting int the
following error.
{panel}
client:
$ hdfs dfs -ls /user/rob/hello
-r-------- 3 rob stark 6 2014-10-02 09:19 /user/rob/hello
$ curl -iLk -u rob -X GET
"https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN";
Enter host password for user 'rob':
HTTP/1.1 500 Server Error
Set-Cookie:
JSESSIONID=u5grw7n8xe3x19o7wuxwpai3k;Path=/gateway/amber;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Apache-Coyote/1.1
Date: Mon, 13 Oct 2014 03:47:47 GMT
Content-Type: application/json
Connection: close
{"RemoteException":{"message":"Permission denied: user=knox, access=READ,
inode=\"/user/rob/hello\":rob:stark:-r--------","exception":"AccessControlException","javaClassName":"org.apache.hadoop.security.AccessControlException"}}
{panel}
{panel}
tail -f $KNOX/logs/gateway.log
2014-10-13 12:47:47,169 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(110))
- Received request: GET /webhdfs/v1/user/rob/hello?op=OPEN
2014-10-13 12:47:47,596 INFO realm.AuthorizingRealm
(AuthorizingRealm.java:getAuthorizationCacheLazy(248)) - No cache or
cacheManager properties have been set. Authorization cache cannot be obtained.
2014-10-13 12:47:47,635 DEBUG hadoop.gateway
(UrlRewriteProcessor.java:rewrite(157)) - Rewrote URL:
https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN,
direction: IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/file to URL:
http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?op=OPEN
2014-10-13 12:47:47,653 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: */*, direction:
IN
2014-10-13 12:47:47,654 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: curl/7.19.7
(x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18
libssh2/1.4.2, direction: IN
2014-10-13 12:47:47,656 DEBUG hadoop.gateway
(HttpClientDispatch.java:executeRequest(104)) - Dispatch request: GET
http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
2014-10-13 12:47:47,934 DEBUG hadoop.gateway
(AppCookieManager.java:getAppCookie(139)) - Successful Knox->Hadoop
SPNegotiation authentication for URL:
http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
2014-10-13 12:47:48,005 DEBUG hadoop.gateway
(HttpClientDispatch.java:executeRequest(131)) - Dispatch response status: 500
2014-10-13 12:47:48,007 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
Apache-Coyote/1.1, direction: OUT
2014-10-13 12:47:48,007 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
application/json, direction: OUT
2014-10-13 12:47:48,008 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: chunked,
direction: OUT
2014-10-13 12:47:48,008 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Mon, 13 Oct
2014 03:47:47 GMT, direction: OUT
2014-10-13 12:47:48,009 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: close,
direction: OUT
2014-10-13 12:47:48,030 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Permission
denied: user=knox, access=READ, inode="/user/rob/hello":rob:stark:-r--------,
direction: OUT
2014-10-13 12:47:48,030 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
AccessControlException, direction: OUT
2014-10-13 12:47:48,031 TRACE hadoop.gateway
(UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
org.apache.hadoop.security.AccessControlException, direction: OUT
{panel}
According to [WebHDFS
specification|http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Proxy_Users],
correct variable name is 'doas'.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
