[
https://issues.apache.org/jira/browse/KNOX-2026?focusedWorklogId=323075&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-323075
]
ASF GitHub Bot logged work on KNOX-2026:
----------------------------------------
Author: ASF GitHub Bot
Created on: 03/Oct/19 23:45
Start Date: 03/Oct/19 23:45
Worklog Time Spent: 10m
Work Description: twmarshall commented on issue #161: KNOX-2026: Accept
Impala's authentication cookies
URL: https://github.com/apache/knox/pull/161#issuecomment-538170962
@pzampino could you possible take a look? You appear to have implemented the
check in the first place in KNOX-1341. Thanks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 323075)
Time Spent: 20m (was: 10m)
> Accept Impala's authentication cookies
> --------------------------------------
>
> Key: KNOX-2026
> URL: https://issues.apache.org/jira/browse/KNOX-2026
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Thomas Tauber-Marshall
> Assignee: Thomas Tauber-Marshall
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> With the Impala service definitions that were recently added, it would be
> nice if Knox would accept and return the authentication cookies that Impala
> generates.
> As far as I can tell, they are not currently being accepted due to failing
> the two checks here:
> https://github.com/apache/knox/blob/master/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java#L67
> For the first check, isAuthCookie(), its fairly easy to add Impala's cookie
> name (impala.auth), to the options.
> For the second check, isKnoxCookie(), which appears to have been added in
> KNOX-1341, Knox requires a very specific cookie format. While Impala uses the
> same basic scheme for generating cookies as Hadoop, the precise format is
> slightly different, so we fail the check. I can see a few options for fixing
> this:
> - Update Impala to use the exact same cookie format as Hadoop. This is
> relatively easy, but it seems overly restrictive to me to require that all
> components use the exact same cookie format, and could cause headaches if
> Impala or any other components ever needs to modify their cookie format.
> - Make the isKnoxCookie() check more permissive. The simplest thing would be
> to just check that the Knox principal is present somewhere in the cookie
> value, which should accept any cookie that uses the basic format of having a
> sequence of values, including the authenticated username/principal, along
> with an HMAC. It seems unlikely to me that would result in storing any
> undesired cookies, but if its too permissive another option would be to make
> the format dependent on the cookie name.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
