You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by larry mccay <lm...@apache.org> on 2018/09/01 19:21:22 UTC
Re: Impersonate/ProxyUser through Knox?
Hi Sean -
The mechanism for doing such impersonation is through identity assertion
providers.
We have a number of them out of the box.
In order to do this with the same sort of validation and trust
configuration, a new one would likely be needed that took such
configuration.
You would then assert the effective user as the user in the header or query
param that you are checking.
I don't think that using the typical user.name or doas query params will
work since we currently scrub any incoming requests of such impersonation
attempts as it could be an attempt to spoof another identity by the client.
We could also look into providing the trusted proxy config on top of the
HadoopAuthProvider but that would make such impersonation be tightly
coupled to that provider. Maybe that makes sense since it is a Hadoop
specific pattern but at the same time - much of the use of Knox is to avoid
having to use kerberos.
Anyway, you can certainly file a JIRA for a feature and we can discuss the
usecases more in depth there.
thanks,
--larry
On Fri, Aug 31, 2018 at 5:04 PM Sean Roberts <sr...@hortonworks.com>
wrote:
> David – Would you agree that this is a valid feature request?
>
>
>
> Hortonworks docs suggest replacing HttpFs with Knox, but this is a use
> case where Knox cannot replace HttpFs which has its own proxyuser
> functionality.
>
>
>
>
>
> --
>
> Sean Roberts
>
>
>
> *From: *David Villarreal <dv...@hortonworks.com>
> *Date: *Friday, 31 August 2018 at 21:38
> *To: *Sean Roberts <sr...@hortonworks.com>, "user@knox.apache.org" <
> user@knox.apache.org>
> *Subject: *Re: Impersonate/ProxyUser through Knox?
>
>
>
> Hi Sean,
>
>
>
> Proxy/Impersonation is configured on the Hadoop side. And knox
> user/principal impersonates users. I think the answer to this question is
> no…. Knox does not have its own proxy impersonation provider.
>
>
>
> What I know Knox does have is
>
>
> https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/knox_configuring_identity_assertion.html
>
> http://kminder.github.io/knox/2015/11/20/identity-assertion.html
>
> http://knox.apache.org/books/knox-1-1-0/user-guide.html#Identity+Assertion
>
>
>
>
>
> *From: *Sean Roberts <sr...@hortonworks.com>
> *Date: *Friday, August 31, 2018 at 12:43 PM
> *To: *"user@knox.apache.org" <us...@knox.apache.org>
> *Subject: *Impersonate/ProxyUser through Knox?
>
>
>
> Knox experts – Does Knox provide impersonation/proxyuser functionality
> like direct WebHDFS connections *(hadoop.proxyuser.service-user.users)*
> and HttpFS *(httpfs.proxyuser.service-user.users)*?
>
>
>
> For example:
>
> - “service-user” authenticates to Knox, then requests to run
> commands as “normal-user”.
>
>
>
> --
>
> Sean Roberts
>
Re: Impersonate/ProxyUser through Knox?
Posted by Sean Roberts <sr...@hortonworks.com>.
Larry – How about inheriting so the user has the same rights they would have if talking directly to the service.
Example:
hadoop.proxyuser.someservice.users=larry,sean
That enables ‘someservice’ to impersonate larry & sean for services which use core-site:hadoop.proxyuser.
When talking to any of those services through Knox it could make sense for Knox to respect that configuration, allowing them to impersonate for those services&users though Knox.
--
Sean Roberts
From: larry mccay <lm...@apache.org>
Reply-To: "user@knox.apache.org" <us...@knox.apache.org>
Date: Saturday, 1 September 2018 at 20:21
To: "user@knox.apache.org" <us...@knox.apache.org>
Subject: Re: Impersonate/ProxyUser through Knox?
Hi Sean -
The mechanism for doing such impersonation is through identity assertion providers.
We have a number of them out of the box.
In order to do this with the same sort of validation and trust configuration, a new one would likely be needed that took such configuration.
You would then assert the effective user as the user in the header or query param that you are checking.
I don't think that using the typical user.name<http://user.name> or doas query params will work since we currently scrub any incoming requests of such impersonation attempts as it could be an attempt to spoof another identity by the client.
We could also look into providing the trusted proxy config on top of the HadoopAuthProvider but that would make such impersonation be tightly coupled to that provider. Maybe that makes sense since it is a Hadoop specific pattern but at the same time - much of the use of Knox is to avoid having to use kerberos.
Anyway, you can certainly file a JIRA for a feature and we can discuss the usecases more in depth there.
thanks,
--larry
On Fri, Aug 31, 2018 at 5:04 PM Sean Roberts <sr...@hortonworks.com>> wrote:
David – Would you agree that this is a valid feature request?
Hortonworks docs suggest replacing HttpFs with Knox, but this is a use case where Knox cannot replace HttpFs which has its own proxyuser functionality.
--
Sean Roberts
From: David Villarreal <dv...@hortonworks.com>>
Date: Friday, 31 August 2018 at 21:38
To: Sean Roberts <sr...@hortonworks.com>>, "user@knox.apache.org<ma...@knox.apache.org>" <us...@knox.apache.org>>
Subject: Re: Impersonate/ProxyUser through Knox?
Hi Sean,
Proxy/Impersonation is configured on the Hadoop side. And knox user/principal impersonates users. I think the answer to this question is no…. Knox does not have its own proxy impersonation provider.
What I know Knox does have is
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/knox_configuring_identity_assertion.html
http://kminder.github.io/knox/2015/11/20/identity-assertion.html
http://knox.apache.org/books/knox-1-1-0/user-guide.html#Identity+Assertion
From: Sean Roberts <sr...@hortonworks.com>>
Date: Friday, August 31, 2018 at 12:43 PM
To: "user@knox.apache.org<ma...@knox.apache.org>" <us...@knox.apache.org>>
Subject: Impersonate/ProxyUser through Knox?
Knox experts – Does Knox provide impersonation/proxyuser functionality like direct WebHDFS connections (hadoop.proxyuser.service-user.users) and HttpFS (httpfs.proxyuser.service-user.users)?
For example:
- “service-user” authenticates to Knox, then requests to run commands as “normal-user”.
--
Sean Roberts