[
https://issues.apache.org/jira/browse/KNOX-2026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947804#comment-16947804
]
ASF subversion and git services commented on KNOX-2026:
-------------------------------------------------------
Commit f7acac99b10064f6f992f3352d2446d6661fe373 in knox's branch
refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=f7acac9 ]
KNOX-2026 - Accept Impala's authentication cookies (#161)
This patch modifies HadoopAuthCookieStore to accept cookies with
Impala's cookie name, "impala.auth".
It also updates a check that is used to ensure the cookie belongs to
Knox - previously, this check parsed the cookie according to the
specific format that Hadoop uses for its cookies and ensures that the
Knox principal appears in the expected location.
Impala uses a similar cookie format, but with a few changes such as
fields being in a different order. The check is made more permissive
such that it will accept any cookie that contains the Knox principal
anywhere in it.
Testing:
- Deployed in a cluster and verified that Knox accepts and returns
Impala's cookies as expected.
> Accept Impala's authentication cookies
> --------------------------------------
>
> Key: KNOX-2026
> URL: https://issues.apache.org/jira/browse/KNOX-2026
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Thomas Tauber-Marshall
> Assignee: Thomas Tauber-Marshall
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> With the Impala service definitions that were recently added, it would be
> nice if Knox would accept and return the authentication cookies that Impala
> generates.
> As far as I can tell, they are not currently being accepted due to failing
> the two checks here:
> https://github.com/apache/knox/blob/master/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java#L67
> For the first check, isAuthCookie(), its fairly easy to add Impala's cookie
> name (impala.auth), to the options.
> For the second check, isKnoxCookie(), which appears to have been added in
> KNOX-1341, Knox requires a very specific cookie format. While Impala uses the
> same basic scheme for generating cookies as Hadoop, the precise format is
> slightly different, so we fail the check. I can see a few options for fixing
> this:
> - Update Impala to use the exact same cookie format as Hadoop. This is
> relatively easy, but it seems overly restrictive to me to require that all
> components use the exact same cookie format, and could cause headaches if
> Impala or any other components ever needs to modify their cookie format.
> - Make the isKnoxCookie() check more permissive. The simplest thing would be
> to just check that the Knox principal is present somewhere in the cookie
> value, which should accept any cookie that uses the basic format of having a
> sequence of values, including the authenticated username/principal, along
> with an HMAC. It seems unlikely to me that would result in storing any
> undesired cookies, but if its too permissive another option would be to make
> the format dependent on the cookie name.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
