[
https://issues.apache.org/jira/browse/KNOX-2831?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-2831:
--------------------------------
Description:
With KNOX-2714, users can create tokens on behalf of others by configuring
[Knox Token
Impersonation|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Token+impersonation]
in the {{KNOXTOKEN}} service.
However, when there are multiple topologies with the {{KNOXTOKEN}} service and
they have different proxyuser configurations the feature breaks as follows:
- {{topology1}} enables {{user1}} to create tokens for {{targetUser1}}
- {{topology2}} enables {{user2 to create tokens for targetUser2}}
Let's see this flow:
# get a token for {{targetUser1}} by {{user1}} - this succeeds
# get a token for {{targetUser2}} by {{user2}} - this succeeds
# get another token for {{targetUser1}} by {{user1}} - this fails
The reason is that Knox's {{KNOXTOKEN}} service uses Hadoop's
{{ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String
proxyUserPrefix)}} which the 2nd call overrides in the {{init}} method of that
servlet. So the 3rd call will fail because the previous configuration on that
topology is lost.
was:
With KNOX-2714, users can create tokens on behalf of others by configuring
[Knox Token
Impersonation|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Token+impersonation]
in the {{KNOXTOKEN}} service.
However, when there are multiple topologies with the {{KNOXTOKEN}} service and
they have different proxyuser configurations the feature breaks as follows:
- {{topology1}} enables {{user1}} to create tokens for {{targetUser1}}
- {{topology2}} enables {{user2} to create tokens for {{targetUser2}}
Let's see this flow:
# get a token for {{targetUser1}} by {{user1}} - this succeeds
# get a token for {{targetUser2}} by {{user2}} - this succeeds
# get another token for {{targetUser1}} by {{user1}} - this fails
The reason is that Knox's {{KNOXTOKEN}} service uses Hadoop's
{{ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String
proxyUserPrefix)}} which the 2nd call overrides in the {{init}} method of that
servlet. So the 3rd call will fail because the previous configuration on that
topology is lost.
> Knox token impersonation in multiple topologies
> -----------------------------------------------
>
> Key: KNOX-2831
> URL: https://issues.apache.org/jira/browse/KNOX-2831
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.0.0
>
>
> With KNOX-2714, users can create tokens on behalf of others by configuring
> [Knox Token
> Impersonation|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Token+impersonation]
> in the {{KNOXTOKEN}} service.
> However, when there are multiple topologies with the {{KNOXTOKEN}} service
> and they have different proxyuser configurations the feature breaks as
> follows:
> - {{topology1}} enables {{user1}} to create tokens for {{targetUser1}}
> - {{topology2}} enables {{user2 to create tokens for targetUser2}}
> Let's see this flow:
> # get a token for {{targetUser1}} by {{user1}} - this succeeds
> # get a token for {{targetUser2}} by {{user2}} - this succeeds
> # get another token for {{targetUser1}} by {{user1}} - this fails
> The reason is that Knox's {{KNOXTOKEN}} service uses Hadoop's
> {{ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String
> proxyUserPrefix)}} which the 2nd call overrides in the {{init}} method of
> that servlet. So the 3rd call will fail because the previous configuration on
> that topology is lost.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
