[jira] [Commented] (KNOX-440) HttpFS impersonation issue

jaehoon ko (JIRA) Sun, 12 Oct 2014 22:35:48 -0700

    [ 
https://issues.apache.org/jira/browse/KNOX-440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168966#comment-14168966
 ]


jaehoon ko commented on KNOX-440:
---------------------------------

GitHub pull request: https://github.com/apache/knox/pull/1

Due to limitation of my cluster environment, I couldn't test how this change 
would affect use of other Hadoop services (hive, oozie, etc.). Please help with 
these tests if you can.

> HttpFS impersonation issue
> --------------------------
>
>                 Key: KNOX-440
>                 URL: https://issues.apache.org/jira/browse/KNOX-440
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Site
>    Affects Versions: 0.4.0
>            Reporter: jaehoon ko
>              Labels: patch
>
> When NameNode High Availability is enabled, KNOX should be integrated with 
> HttpFS, not WebHDFS. KNOX puts 'doAs=username' to impersonate a user against 
> HttpFS. Problem is that HttpFS does not recognize 'doAs', resulting int the 
> following error.
> {panel}
> client:
> $ hdfs dfs -ls /user/rob/hello
> -r--------   3 rob stark          6 2014-10-02 09:19 /user/rob/hello
> $ curl -iLk -u rob -X GET 
> "https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN";
> Enter host password for user 'rob':
> HTTP/1.1 500 Server Error
> Set-Cookie: 
> JSESSIONID=u5grw7n8xe3x19o7wuxwpai3k;Path=/gateway/amber;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Server: Apache-Coyote/1.1
> Date: Mon, 13 Oct 2014 03:47:47 GMT
> Content-Type: application/json
> Connection: close
> {"RemoteException":{"message":"Permission denied: user=knox, access=READ, 
> inode=\"/user/rob/hello\":rob:stark:-r--------","exception":"AccessControlException","javaClassName":"org.apache.hadoop.security.AccessControlException"}}
> {panel}
> {panel}
> tail -f $KNOX/logs/gateway.log
> 2014-10-13 12:47:47,169 DEBUG hadoop.gateway 
> (GatewayFilter.java:doFilter(110)) - Received request: GET 
> /webhdfs/v1/user/rob/hello?op=OPEN
> 2014-10-13 12:47:47,596 INFO  realm.AuthorizingRealm 
> (AuthorizingRealm.java:getAuthorizationCacheLazy(248)) - No cache or 
> cacheManager properties have been set.  Authorization cache cannot be 
> obtained.
> 2014-10-13 12:47:47,635 DEBUG hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(157)) - Rewrote URL: 
> https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN,
>  direction: IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/file to 
> URL: http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?op=OPEN
> 2014-10-13 12:47:47,653 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: */*, 
> direction: IN
> 2014-10-13 12:47:47,654 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: curl/7.19.7 
> (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 
> libssh2/1.4.2, direction: IN
> 2014-10-13 12:47:47,656 DEBUG hadoop.gateway 
> (HttpClientDispatch.java:executeRequest(104)) - Dispatch request: GET 
> http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
> 2014-10-13 12:47:47,934 DEBUG hadoop.gateway 
> (AppCookieManager.java:getAppCookie(139)) - Successful Knox->Hadoop 
> SPNegotiation authentication for URL: 
> http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
> 2014-10-13 12:47:48,005 DEBUG hadoop.gateway 
> (HttpClientDispatch.java:executeRequest(131)) - Dispatch response status: 500
> 2014-10-13 12:47:48,007 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: 
> Apache-Coyote/1.1, direction: OUT
> 2014-10-13 12:47:48,007 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: 
> application/json, direction: OUT
> 2014-10-13 12:47:48,008 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: chunked, 
> direction: OUT
> 2014-10-13 12:47:48,008 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Mon, 13 Oct 
> 2014 03:47:47 GMT, direction: OUT
> 2014-10-13 12:47:48,009 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: close, 
> direction: OUT
> 2014-10-13 12:47:48,030 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Permission 
> denied: user=knox, access=READ, inode="/user/rob/hello":rob:stark:-r--------, 
> direction: OUT
> 2014-10-13 12:47:48,030 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: 
> AccessControlException, direction: OUT
> 2014-10-13 12:47:48,031 TRACE hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: 
> org.apache.hadoop.security.AccessControlException, direction: OUT
> {panel}
> According to [WebHDFS 
> specification|http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Proxy_Users],
>  correct variable name is 'doas'.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KNOX-440) HttpFS impersonation issue

Reply via email to