[jira] [Resolved] (KNOX-2672) Handle gateway-level aliases in Hadoop authentication filter

Sun, 03 Oct 2021 11:30:08 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sandor Molnar resolved KNOX-2672.
---------------------------------
    Fix Version/s: 1.6.0
       Resolution: Fixed

> Handle gateway-level aliases in Hadoop authentication filter
> ------------------------------------------------------------
>
>                 Key: KNOX-2672
>                 URL: https://issues.apache.org/jira/browse/KNOX-2672
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 1.6.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The current {{HadoopAuthFilter}} implementation is [capable of handling 
> aliases on topology 
> level|https://github.com/apache/knox/blob/v1.5.0/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java#L267-L275]:
> {noformat}
>         if (value.startsWith("${ALIAS=") && value.endsWith("}")) {
>           String alias = value.substring("${ALIAS=".length(), value.length() 
> - 1);
>           try {
>             value = String.valueOf(
>                 aliasService.getPasswordFromAliasForCluster(clusterName, 
> alias));
>           } catch (AliasServiceException e) {
>             throw new ServletException("Unable to retrieve alias for config: 
> " + name, e);
>           }
>         }
>  {noformat}
> However, this solution is not too flexible: imagine you create a shared 
> provider configuration with the {{HadoopAuth}} provider where you want to use 
> an alias (e.g the keytab file location in Cloudera Manager isn't static, it's 
> relative to the Knox process's directory). At the provider creation time, you 
> don't know the descriptors (topologies) that may reference your newly created 
> shared provider configuration. Thus, you cannot create the desired aliases in 
> advance using the Knox CLI. what you can do is to create an alias on the 
> gateway-level which the HadoopAuth filter should be able to lookup.
> The suggested solution is to extend the above logic as follows: if the 
> topology-level alias is not found, try to get the value from the 
> gateway-level.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to