You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Jesus Alvarez (JIRA)" <ji...@apache.org> on 2019/03/15 20:21:00 UTC
[jira] [Comment Edited] (KNOX-1765) option to append @realm to
usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16793914#comment-16793914 ]
Jesus Alvarez edited comment on KNOX-1765 at 3/15/19 8:20 PM:
--------------------------------------------------------------
Tried a few scenarios on Knox 1.1.0, fwiw a simple *Regex* identity-assertion adds it properly:
{code:java}
<provider>
<role>identity-assertion</role>
<name>Regex</name>
<enabled>true</enabled>
<param>
<name>input</name>
<value>(.*)</value>
</param>
<param>
<name>output</name>
<value>{1}@FYRE.IBM.COM</value>
</param> </provider>
{code}
{code:java}
# gateway-audit
19/03/15 11:58:19 ||fdd83354-acf5-4664-bf49-f55719bd4858|audit|9.30.236.5|LIVYSERVER2|user1|user1@FYRE.IBM.COM||identity-mapping|principal|user1|success|Effective User: user1@FYRE.IBM.COM
19/03/15 11:58:19 ||fdd83354-acf5-4664-bf49-f55719bd4858|audit|9.30.236.5|LIVYSERVER2|user1|user1@FYRE.IBM.COM||dispatch|uri|http://myhost.livy:8999/sessions?doAs=user1@FYRE.IBM.COM|success|Response status: 200
# livy-server.out
INFO InteractiveSession$: Creating Interactive session 501: [owner: dsxhi, request: [kind: pyspark, proxyUser: Some(user1@FYRE.IBM.COM){code}
{{And the session is started properly :D E}}ven though livy2/2019_03_15.request.log shows the request as %40, this seems to be a non-issue
{code:java}
172.16.11.67 - - [15/Mar/2019:19:09:38 +0000] "GET /sessions/501?doAs=user1%40FYRE.IBM.COM HTTP/1.1" 200 - {code}
was (Author: jesus.alv):
Tried a few scenarios on Knox 1.1.0, fwiw a simple *Regex* identity-assertion adds it properly:
{code:java}
<provider>
<role>identity-assertion</role>
<name>Regex</name>
<enabled>true</enabled>
<param>
<name>input</name>
<value>(.*)</value>
</param>
<param>
<name>output</name>
<value>{1}@FYRE.IBM.COM</value>
</param> </provider>
{code}
{code:java}
# gateway-audit
19/03/15 11:58:19 ||fdd83354-acf5-4664-bf49-f55719bd4858|audit|9.30.236.5|LIVYSERVER2|user1|user1@FYRE.IBM.COM||identity-mapping|principal|user1|success|Effective User: user1@FYRE.IBM.COM
19/03/15 11:58:19 ||fdd83354-acf5-4664-bf49-f55719bd4858|audit|9.30.236.5|LIVYSERVER2|user1|user1@FYRE.IBM.COM||dispatch|uri|http://myhost.livy:8999/sessions?doAs=user1@FYRE.IBM.COM|success|Response status: 200
# livy-server.out
INFO InteractiveSession$: Creating Interactive session 501: [owner: dsxhi, request: [kind: pyspark, proxyUser: Some(user1@FYRE.IBM.COM){code}
{{And the session is started properly, even though livy2/2019_03_15.request.log shows the request as %40}}
{{172.16.11.67 - - [15/Mar/2019:19:09:38 +0000] "GET /sessions/501?doAs=user1%40FYRE.IBM.COM HTTP/1.1" 200 -}}{{ }}
> option to append @realm to usernames
> ------------------------------------
>
> Key: KNOX-1765
> URL: https://issues.apache.org/jira/browse/KNOX-1765
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.1.0, 1.2.0
> Reporter: Ruslan Dautkhanov
> Assignee: Larry McCay
> Priority: Critical
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if
> realm is empty, auth_to_local rules are not applied
>
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>
> rules application starts down below on line 383
>
> so it never reaches rules transformations loop if realm is empty.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)