[
https://issues.apache.org/jira/browse/KNOX-440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14170324#comment-14170324
]
Larry McCay commented on KNOX-440:
----------------------------------
I was hoping to see some indication that "doas" was not found in the request.
Maybe there isn't any logging for that and it just assumes that the client is
acting as itself.
We will have to dig into the HttpFS source a bit more.
> HttpFS impersonation issue
> --------------------------
>
> Key: KNOX-440
> URL: https://issues.apache.org/jira/browse/KNOX-440
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
> Affects Versions: 0.4.0
> Reporter: jaehoon ko
> Labels: patch
>
> When NameNode High Availability is enabled, KNOX should be integrated with
> HttpFS, not WebHDFS. KNOX puts 'doAs=username' to impersonate a user against
> HttpFS. Problem is that HttpFS does not recognize 'doAs', resulting int the
> following error.
> {panel}
> client:
> $ hdfs dfs -ls /user/rob/hello
> -r-------- 3 rob stark 6 2014-10-02 09:19 /user/rob/hello
> $ curl -iLk -u rob -X GET
> "https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN";
> Enter host password for user 'rob':
> HTTP/1.1 500 Server Error
> Set-Cookie:
> JSESSIONID=u5grw7n8xe3x19o7wuxwpai3k;Path=/gateway/amber;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Server: Apache-Coyote/1.1
> Date: Mon, 13 Oct 2014 03:47:47 GMT
> Content-Type: application/json
> Connection: close
> {"RemoteException":{"message":"Permission denied: user=knox, access=READ,
> inode=\"/user/rob/hello\":rob:stark:-r--------","exception":"AccessControlException","javaClassName":"org.apache.hadoop.security.AccessControlException"}}
> {panel}
> {panel}
> tail -f $KNOX/logs/gateway.log
> 2014-10-13 12:47:47,169 DEBUG hadoop.gateway
> (GatewayFilter.java:doFilter(110)) - Received request: GET
> /webhdfs/v1/user/rob/hello?op=OPEN
> 2014-10-13 12:47:47,596 INFO realm.AuthorizingRealm
> (AuthorizingRealm.java:getAuthorizationCacheLazy(248)) - No cache or
> cacheManager properties have been set. Authorization cache cannot be
> obtained.
> 2014-10-13 12:47:47,635 DEBUG hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(157)) - Rewrote URL:
> https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN,
> direction: IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/file to
> URL: http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?op=OPEN
> 2014-10-13 12:47:47,653 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: */*,
> direction: IN
> 2014-10-13 12:47:47,654 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: curl/7.19.7
> (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18
> libssh2/1.4.2, direction: IN
> 2014-10-13 12:47:47,656 DEBUG hadoop.gateway
> (HttpClientDispatch.java:executeRequest(104)) - Dispatch request: GET
> http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
> 2014-10-13 12:47:47,934 DEBUG hadoop.gateway
> (AppCookieManager.java:getAppCookie(139)) - Successful Knox->Hadoop
> SPNegotiation authentication for URL:
> http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
> 2014-10-13 12:47:48,005 DEBUG hadoop.gateway
> (HttpClientDispatch.java:executeRequest(131)) - Dispatch response status: 500
> 2014-10-13 12:47:48,007 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
> Apache-Coyote/1.1, direction: OUT
> 2014-10-13 12:47:48,007 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
> application/json, direction: OUT
> 2014-10-13 12:47:48,008 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: chunked,
> direction: OUT
> 2014-10-13 12:47:48,008 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Mon, 13 Oct
> 2014 03:47:47 GMT, direction: OUT
> 2014-10-13 12:47:48,009 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: close,
> direction: OUT
> 2014-10-13 12:47:48,030 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Permission
> denied: user=knox, access=READ, inode="/user/rob/hello":rob:stark:-r--------,
> direction: OUT
> 2014-10-13 12:47:48,030 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
> AccessControlException, direction: OUT
> 2014-10-13 12:47:48,031 TRACE hadoop.gateway
> (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL:
> org.apache.hadoop.security.AccessControlException, direction: OUT
> {panel}
> According to [WebHDFS
> specification|http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Proxy_Users],
> correct variable name is 'doas'.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
