[ https://issues.apache.org/jira/browse/KNOX-2831?focusedWorklogId=820907&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-820907 ]
ASF GitHub Bot logged work on KNOX-2831: ---------------------------------------- Author: ASF GitHub Bot Created on: 27/Oct/22 10:01 Start Date: 27/Oct/22 10:01 Worklog Time Spent: 10m Work Description: smolnar82 opened a new pull request, #660: URL: https://github.com/apache/knox/pull/660 ## What changes were proposed in this pull request? TODO ## How was this patch tested? TODO Issue Time Tracking ------------------- Worklog Id: (was: 820907) Remaining Estimate: 0h Time Spent: 10m > Knox token impersonation in multiple topologies > ----------------------------------------------- > > Key: KNOX-2831 > URL: https://issues.apache.org/jira/browse/KNOX-2831 > Project: Apache Knox > Issue Type: Task > Components: Server > Affects Versions: 2.0.0 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Fix For: 2.0.0 > > Time Spent: 10m > Remaining Estimate: 0h > > With KNOX-2714, users can create tokens on behalf of others by configuring > [Knox Token > Impersonation|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Token+impersonation] > in the {{KNOXTOKEN}} service. > However, when there are multiple topologies with the {{KNOXTOKEN}} service > and they have different proxyuser configurations the feature breaks as > follows: > - {{topology1}} enables {{user1}} to create tokens for {{targetUser1}} > - {{topology2}} enables {{user2 to create tokens for targetUser2}} > Let's see this flow: > # get a token for {{targetUser1}} by {{user1}} - this succeeds > # get a token for {{targetUser2}} by {{user2}} - this succeeds > # get another token for {{targetUser1}} by {{user1}} - this fails > The reason is that Knox's {{KNOXTOKEN}} service uses Hadoop's > {{ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String > proxyUserPrefix)}} which the 2nd call overrides in the {{init}} method of > that servlet. So the 3rd call will fail because the previous configuration on > that topology is lost. -- This message was sent by Atlassian Jira (v8.20.10#820010)