Description
With the Impala service definitions that were recently added, it would be nice if Knox would accept and return the authentication cookies that Impala generates.
As far as I can tell, they are not currently being accepted due to failing the two checks here: https://github.com/apache/knox/blob/master/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/HadoopAuthCookieStore.java#L67
For the first check, isAuthCookie(), its fairly easy to add Impala's cookie name (impala.auth), to the options.
For the second check, isKnoxCookie(), which appears to have been added in KNOX-1341, Knox requires a very specific cookie format. While Impala uses the same basic scheme for generating cookies as Hadoop, the precise format is slightly different, so we fail the check. I can see a few options for fixing this:
- Update Impala to use the exact same cookie format as Hadoop. This is relatively easy, but it seems overly restrictive to me to require that all components use the exact same cookie format, and could cause headaches if Impala or any other components ever needs to modify their cookie format.
- Make the isKnoxCookie() check more permissive. The simplest thing would be to just check that the Knox principal is present somewhere in the cookie value, which should accept any cookie that uses the basic format of having a sequence of values, including the authenticated username/principal, along with an HMAC. It seems unlikely to me that would result in storing any undesired cookies, but if its too permissive another option would be to make the format dependent on the cookie name.
Attachments
Issue Links
- is related to
-
KNOX-2223 HS2 cookie not stored in HadoopAuthCookieStore
- Resolved
- links to