You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Dilli Arumugam (JIRA)" <ji...@apache.org> on 2013/06/13 23:43:22 UTC

[jira] [Commented] (KNOX-75) make Knox work with Secure Oozie

    [ https://issues.apache.org/jira/browse/KNOX-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13682789#comment-13682789 ] 

Dilli Arumugam commented on KNOX-75:
------------------------------------

Submitting a worflow job  to Secured Oozie though Knox, using a curl command as shown below,  was simply hanging.

curl -ikv -u bob:bob-password -T workflow-configuration-bob.xml -H Content-Type:application/xml -X POST \
    'https://localhost:8443/gateway/sample/oozie/api/v1/jobs?action=start'

Analysis of the problem indicated that  after SPNego authentication challenge from Oozie,  Oozie attempts to read input stream from Knox to get  workflow-configuration-bob.xml. But, from Knox's perspective the input stream is already consumed and Knox dos not send any data.

The connection simply hangs until time out and then times out.

The fix here is to convert the data sent from the browser in ByteArrayEntity and replay the entity.

To protect against too much resource usage, we  do the conversion to ByteArrayEntity only if the content-length of data from the client is less than or equal  to 1MB.
                
> make Knox work with Secure Oozie
> --------------------------------
>
>                 Key: KNOX-75
>                 URL: https://issues.apache.org/jira/browse/KNOX-75
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.3.0
>            Reporter: Dilli Arumugam
>
> Knox should be able to work with Oozie secured with Kerberos.
> End user would authenticate with Knox with ldap credentials.
> Knox would authenticate with Oozie wint SPNego and assert the end user identity as doas query parameter.
> Knox would be granted proxy privileges in oozie-site.xml

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira