Sandor Molnar created KNOX-2770:
-----------------------------------
Summary: KnoxToken doAs won't work with HadoopAuth filter
Key: KNOX-2770
URL: https://issues.apache.org/jira/browse/KNOX-2770
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 2.0.0
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 2.0.0
*Steps to reproduce*
* create a topology with Knox's HadoopAuth filter as the authentication
provider and include the KNOXTOKEN service (let's call it
{{myKnoxTokenTopology}} in this sample)
* make sure the HadoopAuth filter is configured in a way such as it allows the
hive users (can be any user, I use hive as a sample) to impersonate hdfs
* make sure that token state management is disabled in the KNOXTOKEN service
* login to Kerberos as the hive user (kinit using a valid hive keytab)
* try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. {{curl
--negotiate -u : "https://$(hostname
-f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}}
*Actual results*
The second call fails with an error message like this:
{noformat}
{
"RemoteException" : {
"message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
} {noformat}
*Expected results*
Both KnoxToken REST API invocations should have succeeded.
*Action plan:*
* fix the issue of refreshing Hadoop's proxyuser configuration in
TokenResource when token state management is disabled
* introduce a new service-level configuration that let us enable/disable the
doAs support on the KnoxToken path regardless of the token state management
settings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
