[jira] [Work logged] (KNOX-2770) KnoxToken doAs won't work with HadoopAuth filter

Tue, 19 Jul 2022 22:43:05 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2770?focusedWorklogId=793027&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-793027
 ]

ASF GitHub Bot logged work on KNOX-2770:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/Jul/22 05:42
            Start Date: 20/Jul/22 05:42
    Worklog Time Spent: 10m 
      Work Description: smolnar82 merged PR #609:
URL: https://github.com/apache/knox/pull/609




Issue Time Tracking
-------------------

    Worklog Id:     (was: 793027)
    Time Spent: 20m  (was: 10m)

> KnoxToken doAs won't work with HadoopAuth filter
> ------------------------------------------------
>
>                 Key: KNOX-2770
>                 URL: https://issues.apache.org/jira/browse/KNOX-2770
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Blocker
>             Fix For: 2.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> *Steps to reproduce*
>  * create a topology with Knox's HadoopAuth filter as the authentication 
> provider and include the KNOXTOKEN service (let's call it 
> {{myKnoxTokenTopology}} in this sample)
>  * make sure the HadoopAuth filter is configured in a way such as it allows 
> the hive users (can be any user, I use hive as a sample) to impersonate hdfs
>  * make sure that token state management is disabled in the KNOXTOKEN service
>  * login to Kerberos as the hive user (kinit using a valid hive keytab)
>  * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. 
> {{curl --negotiate -u : "https://$(hostname 
> -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}}
> *Actual results*
> The second call fails with an error message like this:
> {noformat}
> {
>   "RemoteException" : {
>     "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
>     "exception" : "AuthorizationException",
>     "javaClassName" : 
> "org.apache.hadoop.security.authorize.AuthorizationException"
>   }
> } {noformat}
>  
> *Expected results*
> Both KnoxToken REST API invocations should have succeeded.
>  
> *Action plan:*
>  * fix the issue of refreshing Hadoop's proxyuser configuration in 
> TokenResource when token state management is disabled
>  * introduce a new service-level configuration that let us enable/disable the 
> doAs support on the KnoxToken path regardless of the token state management 
> settings



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to