You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ambari.apache.org by Lian Jiang <ji...@gmail.com> on 2018/06/11 18:36:39 UTC

knox cannot resolve user principal

Hi,

I have setup ranger and knox for my HDP 2.6 cluster. Interesting, by using
the same user and password, I can access webhdfs service via knox but
cannot access other services in the same topology as webhdfs. The reason is
that knox gets the correct principal for webhdfs but gets anonymous for
other services.

Any idea why this could happen? Thanks.

Re: knox cannot resolve user principal

Posted by Robert Levas <rl...@hortonworks.com>.

Hi Lian….

This seems to be more of a Knox/Ranger question.  Here is a response from Larry from the Knox team.  Can you send further questions on this topic to the Knox mailing list - user@knox.apache.org<ma...@knox.apache.org>.



On Jun 11, 2018, at 2:49 PM, Larry McCay &lt;lmccay@hortonworks.com<ht...@hortonworks.com>> wrote:

Hi Lian -

You will find that a number of services force the use of the Anonymous authentication provider through their service definition.
{GATEWAY_HOME}/data/services/service-name/version/service.xml

This is generally done for one or both of the following reasons:

1. the service in question does not support the trusted proxy model and impersonation via doas which is prevalent in the Hadoop ecosystem
2. the service in question provides it’s own authentication mechanism/login page and doesn’t want Knox to ever handle the authentication for it

For the latter, it is perfectly reasonable to add a permissive policy for the anonymous user to Ranger in order to allow the request to reach the backend service so that it can do the authentication.
For the former in the absence of their own authentication mechanism, you would want to carefully consider whether you want to provide anonymous access to a give UI or service and what data and functionality may be exposed by such anonymous access.

HTH,

—larry



From: Lian Jiang <ji...@gmail.com>
Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
Date: Monday, June 11, 2018 at 2:36 PM
To: "user@ambari.apache.org" <us...@ambari.apache.org>
Subject: knox cannot resolve user principal

Hi,
I have setup ranger and knox for my HDP 2.6 cluster. Interesting, by using the same user and password, I can access webhdfs service via knox but cannot access other services in the same topology as webhdfs. The reason is that knox gets the correct principal for webhdfs but gets anonymous for other services.
Any idea why this could happen? Thanks.