You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/10/03 18:30:00 UTC

[jira] [Commented] (KNOX-2672) Handle gateway-level aliases in Hadoop authentication filter

    [ https://issues.apache.org/jira/browse/KNOX-2672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17423694#comment-17423694 ] 

ASF subversion and git services commented on KNOX-2672:
-------------------------------------------------------

Commit d36f29ae0052f930394e52f9e169cf8e78ac54a9 in knox's branch refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=d36f29a ]

KNOX-2672 - Handle aliases in HadoopAuth filter on gateway level too (#503)



> Handle gateway-level aliases in Hadoop authentication filter
> ------------------------------------------------------------
>
>                 Key: KNOX-2672
>                 URL: https://issues.apache.org/jira/browse/KNOX-2672
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current {{HadoopAuthFilter}} implementation is [capable of handling aliases on topology level|https://github.com/apache/knox/blob/v1.5.0/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java#L267-L275]:
> {noformat}
>         if (value.startsWith("${ALIAS=") && value.endsWith("}")) {
>           String alias = value.substring("${ALIAS=".length(), value.length() - 1);
>           try {
>             value = String.valueOf(
>                 aliasService.getPasswordFromAliasForCluster(clusterName, alias));
>           } catch (AliasServiceException e) {
>             throw new ServletException("Unable to retrieve alias for config: " + name, e);
>           }
>         }
>  {noformat}
> However, this solution is not too flexible: imagine you create a shared provider configuration with the {{HadoopAuth}} provider where you want to use an alias (e.g the keytab file location in Cloudera Manager isn't static, it's relative to the Knox process's directory). At the provider creation time, you don't know the descriptors (topologies) that may reference your newly created shared provider configuration. Thus, you cannot create the desired aliases in advance using the Knox CLI. what you can do is to create an alias on the gateway-level which the HadoopAuth filter should be able to lookup.
> The suggested solution is to extend the above logic as follows: if the topology-level alias is not found, try to get the value from the gateway-level.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)