[
https://issues.apache.org/jira/browse/KNOX-2770?focusedWorklogId=792537&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-792537
]
ASF GitHub Bot logged work on KNOX-2770:
----------------------------------------
Author: ASF GitHub Bot
Created on: 19/Jul/22 09:19
Start Date: 19/Jul/22 09:19
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #609:
URL: https://github.com/apache/knox/pull/609
## What changes were proposed in this pull request?
2 major changes in the PR:
1. Using the previously introduced `knox.token.impersonation.enabled`
parameter to control proxyuser actions
2. Proxyuser config refresh and authorization takes place only, and only if
2.1. Token management is enabled
2.2. Impersonation is enabled
## How was this patch tested?
Manually tested as described in the JIRA (see `Test to reproduce`).
Issue Time Tracking
-------------------
Worklog Id: (was: 792537)
Remaining Estimate: 0h
Time Spent: 10m
> KnoxToken doAs won't work with HadoopAuth filter
> ------------------------------------------------
>
> Key: KNOX-2770
> URL: https://issues.apache.org/jira/browse/KNOX-2770
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * create a topology with Knox's HadoopAuth filter as the authentication
> provider and include the KNOXTOKEN service (let's call it
> {{myKnoxTokenTopology}} in this sample)
> * make sure the HadoopAuth filter is configured in a way such as it allows
> the hive users (can be any user, I use hive as a sample) to impersonate hdfs
> * make sure that token state management is disabled in the KNOXTOKEN service
> * login to Kerberos as the hive user (kinit using a valid hive keytab)
> * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g.
> {{curl --negotiate -u : "https://$(hostname
> -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}}
> *Actual results*
> The second call fails with an error message like this:
> {noformat}
> {
> "RemoteException" : {
> "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
> "exception" : "AuthorizationException",
> "javaClassName" :
> "org.apache.hadoop.security.authorize.AuthorizationException"
> }
> } {noformat}
>
> *Expected results*
> Both KnoxToken REST API invocations should have succeeded.
>
> *Action plan:*
> * fix the issue of refreshing Hadoop's proxyuser configuration in
> TokenResource when token state management is disabled
> * introduce a new service-level configuration that let us enable/disable the
> doAs support on the KnoxToken path regardless of the token state management
> settings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
