[jira] [Created] (KNOX-2765) HDFS WebUI asked for impersonation right when topology identity-assertion is set with HadoopGroupProvider

[Tien Dat (Jira)]

Tien Dat created KNOX-2765:
------------------------------

             Summary: HDFS WebUI asked for impersonation right when topology 
identity-assertion is set with HadoopGroupProvider
                 Key: KNOX-2765
                 URL: https://issues.apache.org/jira/browse/KNOX-2765
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
    Affects Versions: 1.6.0
            Reporter: Tien Dat


Dear,

We are currently using Apache Knox to manage the access to HDFS cluster. 

Besides, we use Apache Ranger to manage the access control to different Apache 
Knox topologies.

Our users and groups are located in LDAP server, and to propagate this 
information to Apache Ranger plugin of Knox, we setup the identity-assertion 
with LdapGroupsMapping implementation of Hadoop.
{code:java}
<!-- Configuration in topology XML -->
<provider>
            <role>authorization</role>
            <name>XASecurePDPKnox</name>
            <enabled>true</enabled>
</provider>

<provider>
    <role>identity-assertion</role>
    <name>HadoopGroupProvider</name> 
    <enabled>true</enabled>
    <param>
        <name>hadoop.security.group.mapping</name>
        <value>org.apache.hadoop.security.LdapGroupsMapping</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.bind.password</name>
        <value>my_ldap_pass</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.url</name>
        <value>ldap://MY_LDAP_SERVER:3389</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.bind.user</name>
        <value>cn=manager,dc=hadoop,dc=com</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.base</name>
        <value>dc=hadoop,dc=com</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.search.filter.group</name>
        <value>(objectClass=groupOfNames)</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.search.filter.user</name>
        <value>(&amp;(objectClass=inetOrgPerson)(cn={0}))</value>
    </param>
</provider> {code}
 

Regarding the Apache Ranger plugin, this setting allows Ranger plugin to 
distinguish correctly the user and its groups (stored in LDAP server) when 
accessing a specific topology, and then access if that user has the right to 
access or not. 

 

However, with HDFS WebUI, this setting leads to the error:
{code:java}
Failed to obtain user group information: 
org.apache.hadoop.security.authorize.AuthorizationException: User: test is not 
allowed to impersonate test {code}
It appears to requires the impersonation privilege for this user for obtaining 
user group information. Clearly, we can enable the impersonation privilege for 
this specific user just to pass the test. But in production, we have hundreds 
to thousands of users, and we just cannot and must not give impersonation 
privilege for all of those users who has the right to access HDFS Web UI.

 

Could you please take a look into this issue and shed some light on the topic?!

 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)