You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Thomas Tauber-Marshall (Jira)" <ji...@apache.org> on 2019/09/26 21:36:00 UTC

[jira] [Created] (KNOX-2026) Accept Impala's authentication cookies

Thomas Tauber-Marshall created KNOX-2026:
--------------------------------------------

             Summary: Accept Impala's authentication cookies
                 Key: KNOX-2026
                 URL: https://issues.apache.org/jira/browse/KNOX-2026
             Project: Apache Knox
          Issue Type: Task
          Components: Server
            Reporter: Thomas Tauber-Marshall


With the Impala service definitions that were recently added, it would be nice if Knox would accept and return the authentication cookies that Impala generates.

As far as I can tell, they are not currently being accepted due to failing the two checks here: https://github.com/apache/knox/blob/master/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java#L67

For the first check, isAuthCookie(), its fairly easy to add Impala's cookie name (impala.auth), to the options.

For the second check, isKnoxCookie(), which appears to have been added in KNOX-1341, Knox requires a very specific cookie format. While Impala uses the same basic scheme for generating cookies as Hadoop, the precise format is slightly different, so we fail the check. I can see a few options for fixing this:
- Update Impala to use the exact same cookie format as Hadoop. This is relatively easy, but it seems overly restrictive to me to require that all components use the exact same cookie format, and could cause headaches if Impala or any other components ever needs to modify their cookie format.
- Make the isKnoxCookie() check more permissive. The simplest thing would be to just check that the Knox principal is present somewhere in the cookie value, which should accept any cookie that uses the basic format of having a sequence of values, including the authenticated username/principal, along with an HMAC. It seems unlikely to me that would result in storing any undesired cookies, but if its too permissive another option would be to make the format dependent on the cookie name.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)