[jira] [Comment Edited] (KNOX-1098) Livy proxyUser should be added when not present

Jesus Alvarez (JIRA) Wed, 14 Nov 2018 15:51:48 -0800


    [ 
https://issues.apache.org/jira/browse/KNOX-1098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16687286#comment-16687286
 ]


Jesus Alvarez edited comment on KNOX-1098 at 11/14/18 11:50 PM:
----------------------------------------------------------------

Thanks for this patch Kevin, it's a much needed one!!

 

I ran a few tests and still seems to show the knox serrvice account, rather 
than the authenticated user:

Knox is running as "dsxhi" user

JWT token for request is for username "user1"

 *Test 1 - user1 does NOT send "proxyUser" *
  - Start a session
{quote} curl -k -v -X POST \
 -H "Authorization: Bearer $DSX_TOKEN" \
 -H 'Content-Type: application/json' \
 -H 'X-Requested-By: user1'  \
 ${GATEWAY}'livy/v1/sessions' -d '\{"kind":"spark"}'
{quote}

- Response - shows proxyUser - knox id 

{quote}
"id":69,"appId":null,"owner":"dsxhi","proxyUser":"dsxhi","state":"starting","kind":"spark","appInfo":\{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout:
 ","\nstderr: ","\nYARN Diagnostics: "]}[root@durotar-edge 0.4.0]#
{quote}
  
  

 - get session info
 {quote}curl -i -k -H "Authorization: Bearer $DSX_TOKEN" -H "X-Requested-By: 
user1" -X GET ${GATEWAY}'livy/v1/sessions' 
 {quote} 
 
- delete session
 {quote}curl -i -k -H "Authorization: Bearer $DSX_TOKEN" -H "X-Requested-By: 
user1" -X DELETE ${GATEWAY}'livy/v1/sessions/69'{quote}
  
 *Test 2 - user1 sends proxyUser=alice*
{quote}curl -k -v -X POST -H "Authorization: Bearer $DSX_TOKEN" -H 
'Content-Type: application/json' -H 'X-Requested-By: user1'  
${GATEWAY}'livy/v1/sessions' -d '\{"kind":"spark","proxyUser":"alice"}'
{quote}
 
- Response shows proxyUser - knox id:
{quote}
"id":70,"appId":null,"owner":"dsxhi","proxyUser":"dsxhi","state":"starting","kind":"spark","appInfo":\{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout:
 ","\nstderr: ","\nYARN Diagnostics: "]
{quote}  

- delete session
 {quote}curl -i -k -H "Authorization: Bearer $DSX_TOKEN" -H "X-Requested-By: 
user1" -X DELETE ${GATEWAY}'livy/v1/sessions/70'
 {quote} 


 *Test 3 - user sends proxyUser=User1*
{quote} curl -k -v -X POST -H "Authorization: Bearer $DSX_TOKEN" -H 
'Content-Type: application/json' -H 'X-Requested-By: user1'  
${GATEWAY}'livy/v1/sessions' -d '\{"kind":"spark","proxyUser":"user1"}'
{quote}  

 - Response shows proxyUser - knox id: 
{quote}
"id":71,"appId":null,"owner":"dsxhi","proxyUser":"dsxhi","state":"starting","kind":"spark","appInfo":\{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout:
 ","\nstderr: ","\nYARN Diagnostics: "]}
  
{quote}  

 
Though Im wondering if this is related to 1602.. Pulling your 2nd patch and 
trying these again

{quote}at 
org.apache.knox.gateway.livy.LivyDispatch.doPost(LivyDispatch.java:48) 
        at 
org.apache.knox.gateway.dispatch.GatewayDispatchFilter$PostAdapter.doMethod(GatewayDispatchFilter.java:179)
        at 
org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFilter(GatewayDispatchFilter.java:124)
        at 
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
        ... 73 more
2018-11-14 15:22:26,307 INFO  knox.gateway 
(AclsAuthorizationFilter.java:doFilter(104)) - Access Granted: true

2018-11-14 15:22:26,315 ERROR knox.gateway 
(AbstractGatewayFilter.java:doFilter(60)) - Failed to execute filter: 
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('%' (code 
37)): expected a valid value (number, String, array, object, 'true', 'false' or 
'null'){quote}


Thanks again, Kevin!

 


was (Author: jesus.alv):
Thanks for this patch Kevin, it's a much needed one!!

 

I ran a few tests and still seems to show the knox serrvice account, rather 
than the authenticated user:

Knox is running as "dsxhi" user

JWT token for request is for username "user1"

 *Test 1 - user1 does NOT send "proxyUser" *
  - Start a session
{quote} curl -k -v -X POST \
 -H "Authorization: Bearer $DSX_TOKEN" \
 -H 'Content-Type: application/json' \
 -H 'X-Requested-By: user1'  \
 ${GATEWAY}'livy/v1/sessions' -d '\{"kind":"spark"}'
{quote}

- Response - shows proxyUser - knox id 

{quote}{"id":69,"appId":null,"owner":"dsxhi","proxyUser":"dsxhi","state":"starting","kind":"spark","appInfo":\{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout:
 ","\nstderr: ","\nYARN Diagnostics: "]}[root@durotar-edge 0.4.0]#{quote}
  
  

 - get session info
 {quote}curl -i -k -H "Authorization: Bearer $DSX_TOKEN" -H "X-Requested-By: 
user1" -X GET ${GATEWAY}'livy/v1/sessions' 
 {quote} 
 
- delete session
 {quote}curl -i -k -H "Authorization: Bearer $DSX_TOKEN" -H "X-Requested-By: 
user1" -X DELETE ${GATEWAY}'livy/v1/sessions/69'{quote}
  
 *Test 2 - user1 sends proxyUser=alice*
{quote}curl -k -v -X POST -H "Authorization: Bearer $DSX_TOKEN" -H 
'Content-Type: application/json' -H 'X-Requested-By: user1'  
${GATEWAY}'livy/v1/sessions' -d '\{"kind":"spark","proxyUser":"alice"}'
{quote}
 
- Response shows proxyUser - knox id:
{quote}{"id":70,"appId":null,"owner":"dsxhi","proxyUser":"dsxhi","state":"starting","kind":"spark","appInfo":\{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout:
 ","\nstderr: ","\nYARN Diagnostics: "]
{quote}  

- delete session
 {quote}curl -i -k -H "Authorization: Bearer $DSX_TOKEN" -H "X-Requested-By: 
user1" -X DELETE ${GATEWAY}'livy/v1/sessions/70'
 {quote} 


 *Test 3 - user sends proxyUser=User1*
{quote} curl -k -v -X POST -H "Authorization: Bearer $DSX_TOKEN" -H 
'Content-Type: application/json' -H 'X-Requested-By: user1'  
${GATEWAY}'livy/v1/sessions' -d '\{"kind":"spark","proxyUser":"user1"}'
{quote}  

 - Response shows proxyUser - knox id: 
{quote}{"id":71,"appId":null,"owner":"dsxhi","proxyUser":"dsxhi","state":"starting","kind":"spark","appInfo":\{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout:
 ","\nstderr: ","\nYARN Diagnostics: "]}
  
{quote}  

 
Though Im wondering if this is related to 1602.. Pulling your 2nd patch and 
trying these again
 ```
         at 
org.apache.knox.gateway.livy.LivyDispatch.doPost(LivyDispatch.java:48) 
        at 
org.apache.knox.gateway.dispatch.GatewayDispatchFilter$PostAdapter.doMethod(GatewayDispatchFilter.java:179)
        at 
org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFilter(GatewayDispatchFilter.java:124)
        at 
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
        ... 73 more
2018-11-14 15:22:26,307 INFO  knox.gateway 
(AclsAuthorizationFilter.java:doFilter(104)) - Access Granted: true

2018-11-14 15:22:26,315 ERROR knox.gateway 
(AbstractGatewayFilter.java:doFilter(60)) - Failed to execute filter: 
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('%' (code 
37)): expected a valid value (number, String, array, object, 'true', 'false' or 
'null')

```

Thanks again, Kevin!

 

> Livy proxyUser should be added when not present
> -----------------------------------------------
>
>                 Key: KNOX-1098
>                 URL: https://issues.apache.org/jira/browse/KNOX-1098
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.14.0, 1.0.0, 1.1.0
>            Reporter: Jeffrey Rodriguez
>            Assignee: Kevin Risden
>            Priority: Major
>              Labels: livy
>             Fix For: 1.2.0
>
>         Attachments: KNOX-1098.patch, KNOX-1098.patch
>
>
> Current Knox Livy service will replace the value pair proxyUser, user to 
> impersonate when running the job , with the value of the user that Knox has 
> authenticated. If the proxyUser value pair doesn't exist the rewrite rule 
> will not add the proxyUser value pair.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Comment Edited] (KNOX-1098) Livy proxyUser should be added when not present

Reply via email to