Larry – How about inheriting so the user has the same rights they would have if talking directly to the service.
Example: hadoop.proxyuser.someservice.users=larry,sean That enables ‘someservice’ to impersonate larry & sean for services which use core-site:hadoop.proxyuser. When talking to any of those services through Knox it could make sense for Knox to respect that configuration, allowing them to impersonate for those services&users though Knox. -- Sean Roberts From: larry mccay <lmc...@apache.org> Reply-To: "user@knox.apache.org" <user@knox.apache.org> Date: Saturday, 1 September 2018 at 20:21 To: "user@knox.apache.org" <user@knox.apache.org> Subject: Re: Impersonate/ProxyUser through Knox? Hi Sean - The mechanism for doing such impersonation is through identity assertion providers. We have a number of them out of the box. In order to do this with the same sort of validation and trust configuration, a new one would likely be needed that took such configuration. You would then assert the effective user as the user in the header or query param that you are checking. I don't think that using the typical user.name<http://user.name> or doas query params will work since we currently scrub any incoming requests of such impersonation attempts as it could be an attempt to spoof another identity by the client. We could also look into providing the trusted proxy config on top of the HadoopAuthProvider but that would make such impersonation be tightly coupled to that provider. Maybe that makes sense since it is a Hadoop specific pattern but at the same time - much of the use of Knox is to avoid having to use kerberos. Anyway, you can certainly file a JIRA for a feature and we can discuss the usecases more in depth there. thanks, --larry On Fri, Aug 31, 2018 at 5:04 PM Sean Roberts <srobe...@hortonworks.com<mailto:srobe...@hortonworks.com>> wrote: David – Would you agree that this is a valid feature request? Hortonworks docs suggest replacing HttpFs with Knox, but this is a use case where Knox cannot replace HttpFs which has its own proxyuser functionality. -- Sean Roberts From: David Villarreal <dvillarr...@hortonworks.com<mailto:dvillarr...@hortonworks.com>> Date: Friday, 31 August 2018 at 21:38 To: Sean Roberts <srobe...@hortonworks.com<mailto:srobe...@hortonworks.com>>, "user@knox.apache.org<mailto:user@knox.apache.org>" <user@knox.apache.org<mailto:user@knox.apache.org>> Subject: Re: Impersonate/ProxyUser through Knox? Hi Sean, Proxy/Impersonation is configured on the Hadoop side. And knox user/principal impersonates users. I think the answer to this question is no…. Knox does not have its own proxy impersonation provider. What I know Knox does have is https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/knox_configuring_identity_assertion.html http://kminder.github.io/knox/2015/11/20/identity-assertion.html http://knox.apache.org/books/knox-1-1-0/user-guide.html#Identity+Assertion From: Sean Roberts <srobe...@hortonworks.com<mailto:srobe...@hortonworks.com>> Date: Friday, August 31, 2018 at 12:43 PM To: "user@knox.apache.org<mailto:user@knox.apache.org>" <user@knox.apache.org<mailto:user@knox.apache.org>> Subject: Impersonate/ProxyUser through Knox? Knox experts – Does Knox provide impersonation/proxyuser functionality like direct WebHDFS connections (hadoop.proxyuser.service-user.users) and HttpFS (httpfs.proxyuser.service-user.users)? For example: - “service-user” authenticates to Knox, then requests to run commands as “normal-user”. -- Sean Roberts
