Blocker Description
Steps to reproduce
- create a topology with Knox's HadoopAuth filter as the authentication provider and include the KNOXTOKEN service (let's call it myKnoxTokenTopology in this sample)
- make sure the HadoopAuth filter is configured in a way such as it allows the hive users (can be any user, I use hive as a sample) to impersonate hdfs
- make sure that token state management is disabled in the KNOXTOKEN service
- login to Kerberos as the hive user (kinit using a valid hive keytab)
- try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. curl --negotiate -u : "https://$(hostname -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"
Actual results
The second call fails with an error message like this:
{
"RemoteException" : {
"message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
"exception" : "AuthorizationException",
"javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException"
}
}
Expected results
Both KnoxToken REST API invocations should have succeeded.
Action plan:
- fix the issue of refreshing Hadoop's proxyuser configuration in TokenResource when token state management is disabled
- reuse the already existing new service-level configuration called knox.token.impersonation.enabled that lets us enable/disable the doAs support on the KnoxToken path regardless of the token state management settings
Attachments
Issue Links
- links to
