[KNOX-2831] Knox token impersonation in multiple topologies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: Server
Labels:
None

Description

With ~~KNOX-2714~~, users can create tokens on behalf of others by configuring Knox Token Impersonation in the KNOXTOKEN service.

However, when there are multiple topologies with the KNOXTOKEN service and they have different proxyuser configurations the feature breaks as follows:

topology1 enables user1 to create tokens for targetUser1
topology2 enables user2 to create tokens for targetUser2

Let's see this flow:

get a token for targetUser1 by user1 - this succeeds
get a token for targetUser2 by user2 - this succeeds
get another token for targetUser1 by user1 - this fails

The reason is that Knox's KNOXTOKEN service uses Hadoop's ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String proxyUserPrefix) which the 2nd call overrides in the init method of that servlet. So the 3rd call will fail because the previous configuration on that topology is lost.

Attachments

Issue Links

links to

GitHub Pull Request #660

Activity

People

Assignee:: Sandor Molnar

Reporter:: Sandor Molnar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/Oct/22 09:26

Updated:: 03/Nov/22 08:53

Resolved:: 28/Oct/22 06:51

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m