[ https://issues.apache.org/jira/browse/KNOX-2831?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on KNOX-2831 started by Sandor Molnar. ------------------------------------------- > Knox token impersonation in multiple topologies > ----------------------------------------------- > > Key: KNOX-2831 > URL: https://issues.apache.org/jira/browse/KNOX-2831 > Project: Apache Knox > Issue Type: Task > Components: Server > Affects Versions: 2.0.0 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Fix For: 2.0.0 > > > With KNOX-2714, users can create tokens on behalf of others by configuring > [Knox Token > Impersonation|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Token+impersonation] > in the {{KNOXTOKEN}} service. > However, when there are multiple topologies with the {{KNOXTOKEN}} service > and they have different proxyuser configurations the feature breaks as > follows: > - {{topology1}} enables {{user1}} to create tokens for {{targetUser1}} > - {{topology2}} enables {{user2} to create tokens for {{targetUser2}} > Let's see this flow: > # get a token for {{targetUser1}} by {{user1}} - this succeeds > # get a token for {{targetUser2}} by {{user2}} - this succeeds > # get another token for {{targetUser1}} by {{user1}} - this fails > The reason is that Knox's {{KNOXTOKEN}} service uses Hadoop's > {{ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String > proxyUserPrefix)}} which the 2nd call overrides in the {{init}} method of > that servlet. So the 3rd call will fail because the previous configuration on > that topology is lost. -- This message was sent by Atlassian Jira (v8.20.10#820010)