[
https://issues.apache.org/jira/browse/KNOX-2026?focusedWorklogId=323073&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-323073
]
ASF GitHub Bot logged work on KNOX-2026:
----------------------------------------
Author: ASF GitHub Bot
Created on: 03/Oct/19 23:44
Start Date: 03/Oct/19 23:44
Worklog Time Spent: 10m
Work Description: twmarshall commented on pull request #161: KNOX-2026:
Accept Impala's authentication cookies
URL: https://github.com/apache/knox/pull/161
This patch modifies HadoopAuthCookieStore to accept cookies with
Impala's cookie name, "impala.auth".
It also updates a check that is used to ensure the cookie belongs to
Knox - previously, this check parsed the cookie according to the
specific format that Hadoop uses for its cookies and ensures that the
Knox principal appears in the expected location.
Impala uses a similar cookie format, but with a few changes such as
fields being in a different order. The check is made more permissive
such that it will accept any cookie that contains the Knox principal
anywhere in it.
Testing:
- Deployed in a cluster and verified that Knox accepts and returns
Impala's cookies as expected.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 323073)
Remaining Estimate: 0h
Time Spent: 10m
> Accept Impala's authentication cookies
> --------------------------------------
>
> Key: KNOX-2026
> URL: https://issues.apache.org/jira/browse/KNOX-2026
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Thomas Tauber-Marshall
> Assignee: Thomas Tauber-Marshall
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> With the Impala service definitions that were recently added, it would be
> nice if Knox would accept and return the authentication cookies that Impala
> generates.
> As far as I can tell, they are not currently being accepted due to failing
> the two checks here:
> https://github.com/apache/knox/blob/master/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java#L67
> For the first check, isAuthCookie(), its fairly easy to add Impala's cookie
> name (impala.auth), to the options.
> For the second check, isKnoxCookie(), which appears to have been added in
> KNOX-1341, Knox requires a very specific cookie format. While Impala uses the
> same basic scheme for generating cookies as Hadoop, the precise format is
> slightly different, so we fail the check. I can see a few options for fixing
> this:
> - Update Impala to use the exact same cookie format as Hadoop. This is
> relatively easy, but it seems overly restrictive to me to require that all
> components use the exact same cookie format, and could cause headaches if
> Impala or any other components ever needs to modify their cookie format.
> - Make the isKnoxCookie() check more permissive. The simplest thing would be
> to just check that the Knox principal is present somewhere in the cookie
> value, which should accept any cookie that uses the basic format of having a
> sequence of values, including the authenticated username/principal, along
> with an HMAC. It seems unlikely to me that would result in storing any
> undesired cookies, but if its too permissive another option would be to make
> the format dependent on the cookie name.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
