[
https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16793919#comment-16793919
]
Ruslan Dautkhanov commented on KNOX-1765:
-----------------------------------------
[~krisden] yep that is in doAs
/opt/ibm/dsxhi/gateway/logs/gateway-audit.log
{noformat}
19/03/05 12:01:16
||920556cf-309c-46f3-90fc-34853c5aa111|audit|10.20.32.128|LIVYSERVER2|rdautkhanov|||authentication|uri|/gateway/dsx/livy2/v1/sessions/255|success|
19/03/05 12:01:16
||920556cf-309c-46f3-90fc-34853c5aa111|audit|10.20.32.128|LIVYSERVER2|rdautkhanov|[email protected]||identity-mapping|principal|rdautkhanov|success|Effective
User: [[email protected]|mailto:[email protected]]
{noformat}
/var/log/dsxhi/livy2/2019_03_05.request.log
{noformat}
10.20.32.60 - - [05/Mar/2019:19:00:56 +0000] "DELETE
/sessions/255?doAs=rdautkhanov%40CORP.EPSILON.COM HTTP/1.1" 404 -
10.20.32.60 - - [05/Mar/2019:19:00:56 +0000] "DELETE
/sessions/255?doAs=rdautkhanov%40CORP.EPSILON.COM HTTP/1.1" 404 -
10.20.32.60 - - [05/Mar/2019:19:00:56 +0000] "DELETE
/sessions/255?doAs=rdautkhanov%40CORP.EPSILON.COM HTTP/1.1" 404 -
10.20.32.60 - - [05/Mar/2019:19:00:57 +0000] "DELETE
/sessions/255?doAs=rdautkhanov%40CORP.EPSILON.COM HTTP/1.1" 404 -
{noformat}
[~jesus.alv] - thank you! Let me try Regex identity-assertion and see how it
works.
> option to append @realm to usernames
> ------------------------------------
>
> Key: KNOX-1765
> URL: https://issues.apache.org/jira/browse/KNOX-1765
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.1.0, 1.2.0
> Reporter: Ruslan Dautkhanov
> Assignee: Larry McCay
> Priority: Critical
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if
> realm is empty, auth_to_local rules are not applied
>
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>
> rules application starts down below on line 383
>
> so it never reaches rules transformations loop if realm is empty.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
