You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Prabhu Joseph (JIRA)" <ji...@apache.org> on 2019/05/07 12:18:01 UTC

[jira] [Comment Edited] (HADOOP-16287) KerberosAuthenticationHandler Trusted Proxy Support for Knox

    [ https://issues.apache.org/jira/browse/HADOOP-16287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16834607#comment-16834607 ] 

Prabhu Joseph edited comment on HADOOP-16287 at 5/7/19 12:17 PM:
-----------------------------------------------------------------

[~daryn] [~eyang] Thanks for the review. When testing the patch-001 with YARN RM UI and Knox Gateway using multiple browsers in parallel, observed AuthToken for user1 is used for all the subsequent operations.

Have set the impersonated user in http request attribute "doAsUser". YARN RM UI code will define a filter initializer which adds the {{ProxyUserAuthenticationFIlter}}. RM UI code can lists apps based on the end user instead of proxy user.


was (Author: prabhu joseph):
[~daryn] [~eyang] Thanks for the review. When testing the patch-001 with YARN RM UI and Knox Gateway using multiple browsers in parallel, observed AuthToken for user1 is used for all the subsequent operations.

Have set the impersonated user in http request attribute "proxyUser". YARN RM UI code will define a filter initializer which adds the {{ProxyUserAuthenticationFIlter}}. RM UI code can lists apps based on the end user instead of proxy user.

> KerberosAuthenticationHandler Trusted Proxy Support for Knox
> ------------------------------------------------------------
>
>                 Key: HADOOP-16287
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16287
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: auth
>    Affects Versions: 3.2.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16287-001.patch, HADOOP-16287-002.patch, HADOOP-16827-003.patch
>
>
> Knox passes doAs with end user while accessing RM, WebHdfs Rest Api. Currently KerberosAuthenticationHandler sets the remote user to Knox. Need Trusted Proxy Support by reading doAs query parameter.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org