You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/10/03 18:30:00 UTC

[jira] [Work logged] (KNOX-2672) Handle gateway-level aliases in Hadoop authentication filter

     [ https://issues.apache.org/jira/browse/KNOX-2672?focusedWorklogId=659347&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-659347 ]

ASF GitHub Bot logged work on KNOX-2672:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Oct/21 18:29
            Start Date: 03/Oct/21 18:29
    Worklog Time Spent: 10m 
      Work Description: smolnar82 merged pull request #503:
URL: https://github.com/apache/knox/pull/503


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 659347)
    Time Spent: 0.5h  (was: 20m)

> Handle gateway-level aliases in Hadoop authentication filter
> ------------------------------------------------------------
>
>                 Key: KNOX-2672
>                 URL: https://issues.apache.org/jira/browse/KNOX-2672
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The current {{HadoopAuthFilter}} implementation is [capable of handling aliases on topology level|https://github.com/apache/knox/blob/v1.5.0/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java#L267-L275]:
> {noformat}
>         if (value.startsWith("${ALIAS=") && value.endsWith("}")) {
>           String alias = value.substring("${ALIAS=".length(), value.length() - 1);
>           try {
>             value = String.valueOf(
>                 aliasService.getPasswordFromAliasForCluster(clusterName, alias));
>           } catch (AliasServiceException e) {
>             throw new ServletException("Unable to retrieve alias for config: " + name, e);
>           }
>         }
>  {noformat}
> However, this solution is not too flexible: imagine you create a shared provider configuration with the {{HadoopAuth}} provider where you want to use an alias (e.g the keytab file location in Cloudera Manager isn't static, it's relative to the Knox process's directory). At the provider creation time, you don't know the descriptors (topologies) that may reference your newly created shared provider configuration. Thus, you cannot create the desired aliases in advance using the Knox CLI. what you can do is to create an alias on the gateway-level which the HadoopAuth filter should be able to lookup.
> The suggested solution is to extend the above logic as follows: if the topology-level alias is not found, try to get the value from the gateway-level.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)