You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "jaehoon ko (JIRA)" <ji...@apache.org> on 2014/10/13 07:34:35 UTC

[jira] [Commented] (KNOX-440) HttpFS impersonation issue

    [ https://issues.apache.org/jira/browse/KNOX-440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168966#comment-14168966 ] 

jaehoon ko commented on KNOX-440:
---------------------------------

GitHub pull request: https://github.com/apache/knox/pull/1

Due to limitation of my cluster environment, I couldn't test how this change would affect use of other Hadoop services (hive, oozie, etc.). Please help with these tests if you can.

> HttpFS impersonation issue
> --------------------------
>
>                 Key: KNOX-440
>                 URL: https://issues.apache.org/jira/browse/KNOX-440
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Site
>    Affects Versions: 0.4.0
>            Reporter: jaehoon ko
>              Labels: patch
>
> When NameNode High Availability is enabled, KNOX should be integrated with HttpFS, not WebHDFS. KNOX puts 'doAs=username' to impersonate a user against HttpFS. Problem is that HttpFS does not recognize 'doAs', resulting int the following error.
> {panel}
> client:
> $ hdfs dfs -ls /user/rob/hello
> -r--------   3 rob stark          6 2014-10-02 09:19 /user/rob/hello
> $ curl -iLk -u rob -X GET "https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN"
> Enter host password for user 'rob':
> HTTP/1.1 500 Server Error
> Set-Cookie: JSESSIONID=u5grw7n8xe3x19o7wuxwpai3k;Path=/gateway/amber;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Server: Apache-Coyote/1.1
> Date: Mon, 13 Oct 2014 03:47:47 GMT
> Content-Type: application/json
> Connection: close
> {"RemoteException":{"message":"Permission denied: user=knox, access=READ, inode=\"/user/rob/hello\":rob:stark:-r--------","exception":"AccessControlException","javaClassName":"org.apache.hadoop.security.AccessControlException"}}
> {panel}
> {panel}
> tail -f $KNOX/logs/gateway.log
> 2014-10-13 12:47:47,169 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(110)) - Received request: GET /webhdfs/v1/user/rob/hello?op=OPEN
> 2014-10-13 12:47:47,596 INFO  realm.AuthorizingRealm (AuthorizingRealm.java:getAuthorizationCacheLazy(248)) - No cache or cacheManager properties have been set.  Authorization cache cannot be obtained.
> 2014-10-13 12:47:47,635 DEBUG hadoop.gateway (UrlRewriteProcessor.java:rewrite(157)) - Rewrote URL: https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN, direction: IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/file to URL: http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?op=OPEN
> 2014-10-13 12:47:47,653 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: */*, direction: IN
> 2014-10-13 12:47:47,654 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2, direction: IN
> 2014-10-13 12:47:47,656 DEBUG hadoop.gateway (HttpClientDispatch.java:executeRequest(104)) - Dispatch request: GET http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
> 2014-10-13 12:47:47,934 DEBUG hadoop.gateway (AppCookieManager.java:getAppCookie(139)) - Successful Knox->Hadoop SPNegotiation authentication for URL: http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
> 2014-10-13 12:47:48,005 DEBUG hadoop.gateway (HttpClientDispatch.java:executeRequest(131)) - Dispatch response status: 500
> 2014-10-13 12:47:48,007 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Apache-Coyote/1.1, direction: OUT
> 2014-10-13 12:47:48,007 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: application/json, direction: OUT
> 2014-10-13 12:47:48,008 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: chunked, direction: OUT
> 2014-10-13 12:47:48,008 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Mon, 13 Oct 2014 03:47:47 GMT, direction: OUT
> 2014-10-13 12:47:48,009 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: close, direction: OUT
> 2014-10-13 12:47:48,030 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Permission denied: user=knox, access=READ, inode="/user/rob/hello":rob:stark:-r--------, direction: OUT
> 2014-10-13 12:47:48,030 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: AccessControlException, direction: OUT
> 2014-10-13 12:47:48,031 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: org.apache.hadoop.security.AccessControlException, direction: OUT
> {panel}
> According to [WebHDFS specification|http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Proxy_Users], correct variable name is 'doas'.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)