[jira] [Resolved] (KNOX-2026) Accept Impala's authentication cookies

[Kevin Risden (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kevin Risden resolved KNOX-2026.
--------------------------------
    Fix Version/s: 1.4.0
       Resolution: Fixed

> Accept Impala's authentication cookies
> --------------------------------------
>
>                 Key: KNOX-2026
>                 URL: https://issues.apache.org/jira/browse/KNOX-2026
>             Project: Apache Knox
>          Issue Type: Task
>          Components: Server
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Major
>             Fix For: 1.4.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> With the Impala service definitions that were recently added, it would be 
> nice if Knox would accept and return the authentication cookies that Impala 
> generates.
> As far as I can tell, they are not currently being accepted due to failing 
> the two checks here: 
> https://github.com/apache/knox/blob/master/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java#L67
> For the first check, isAuthCookie(), its fairly easy to add Impala's cookie 
> name (impala.auth), to the options.
> For the second check, isKnoxCookie(), which appears to have been added in 
> KNOX-1341, Knox requires a very specific cookie format. While Impala uses the 
> same basic scheme for generating cookies as Hadoop, the precise format is 
> slightly different, so we fail the check. I can see a few options for fixing 
> this:
> - Update Impala to use the exact same cookie format as Hadoop. This is 
> relatively easy, but it seems overly restrictive to me to require that all 
> components use the exact same cookie format, and could cause headaches if 
> Impala or any other components ever needs to modify their cookie format.
> - Make the isKnoxCookie() check more permissive. The simplest thing would be 
> to just check that the Knox principal is present somewhere in the cookie 
> value, which should accept any cookie that uses the basic format of having a 
> sequence of values, including the authenticated username/principal, along 
> with an HMAC. It seems unlikely to me that would result in storing any 
> undesired cookies, but if its too permissive another option would be to make 
> the format dependent on the cookie name.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)