Informational, no issue here. To access Hadoop services on behalf of an authenticated user, Knox authenticates with the service using the ‘knox’ user, but passes a ‘doAs’ parameter conveying the caller’s identity. The service checks that ‘knox’ is a valid proxy user. Some services (like WebHDFS) are themselves proxies to other services, in which case a similar procedure occurs recursively.
It occurred to me that this procedure resembles the ‘protocol transition’ Kerberos extension that Microsoft introduced years ago, known as S4U. S4U is an alternative approach that Knox could use to access Kerberos-secured services that don’t support a ‘doAs’ parameter. I dug up a few articles on the subject to share with the group. Explanation - https://technet.microsoft.com/en-us/library/cc738207(v=ws.10).aspxSpecification - https://msdn.microsoft.com/en-us/library/cc246071.aspxMIT Kerberos support - http://k5wiki.kerberos.org/wiki/Projects/Services4User Enjoy,Eron Wright
