We have an unsecure (no Kerberos) cluster that is secured through a Knox
gateway. The gateway correctly authenticates users and works fine.
Connecting to Hive Server2 also works fine.
We are now implementing user assertion in Knox. A user known outside,
for example |willem|, is (after correct authentication) transformed into
the user |usr_hdp_developer|. I can see this transformation happening
correctly. In fact, I see the following audit rows:
|15/10/15 09:04:08
||2a0bda3b-be2a-4963-9f8a-69f519e4034f|audit|HIVE|willem|usr_hdp_developer||identity-mapping|principal|willem|success|
15/10/15 09:04:08
||2a0bda3b-be2a-4963-9f8a-69f519e4034f|audit|HIVE|willem|usr_hdp_developer||identity-mapping|principal|<strong>usr_hdp_developer</strong>|success|Groups:
[grp_hdp_developer, ...|
When I now access Hiver Server2 through Knox, I can see that Knox tries
to tell Hive to user the translated username:
|15/10/15 09:04:08
||2a0bda3b-be2a-4963-9f8a-69f519e4034f|audit|HIVE|willem|usr_hdp_developer||dispatch|uri|http://hdpprdhiv01.XXX:10001/cliservice?user.name=usr_hdp_developer|success|Response
status: 200|
It hands down the parameter |user.name| with the correct username to the
cliservice.
But this is not respected at the Hive side. Here I see:
|2015-10-15 08:44:40,291 INFO [HiveServer2-HttpHandler-Pool: Thread-36]:
HiveMetaStore.audit (HiveMetaStore.java:logAuditEvent(371)) - ugi=willem
ip=unknown-ip-addr cmd=get_table : db=analyse tbl=bag_adres|
This is what I found:
In the DefaultDispatch, a call is made to addCredentialsToRequest()
(when not Kerberos!). For the Hive dispatcher, this just adds an
Authorization header with just the primairy principal.
I thought it would be good practice to use the class
IdentityAsserterHttpServletRequestWrapper to do the mangling of the
Authorization header and put the asserted identity into that header.
I have patched the IdentityAsserterHttpServletRequestWrapper to put the
asserted user into the Authentication header -- but the IdentityAsserter
filter seems to be applied BEFORE the call to addCredetialsToRequest()
is made in the DefailtDispach.
Does this mean that the HiveDispatch class needs to become aware of
identity assertion and add the asserted username into the Authorization key?
I can see that the request comes in with the ORIGINAL Authorization
values (for the "outside" principal).
What are your views? Should HiveDispatch become aware of identity assertion?
Regards,
Willem
