Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2765

HDFS WebUI asked for impersonation right when topology identity-assertion is set with HadoopGroupProvider

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 1.6.0
    • None
    • Server
    • None

    Description

      Dear,

      We are currently using Apache Knox to manage the access to HDFS cluster. 

      Besides, we use Apache Ranger to manage the access control to different Apache Knox topologies.

      Our users and groups are located in LDAP server, and to propagate this information to Apache Ranger plugin of Knox, we setup the identity-assertion with LdapGroupsMapping implementation of Hadoop.

      <!-- Configuration in topology XML -->
<provider>
            <role>authorization</role>
            <name>XASecurePDPKnox</name>
            <enabled>true</enabled>
</provider>

<provider>
    <role>identity-assertion</role>
    <name>HadoopGroupProvider</name> 
    <enabled>true</enabled>
    <param>
        <name>hadoop.security.group.mapping</name>
        <value>org.apache.hadoop.security.LdapGroupsMapping</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.bind.password</name>
        <value>my_ldap_pass</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.url</name>
        <value>ldap://MY_LDAP_SERVER:3389</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.bind.user</name>
        <value>cn=manager,dc=hadoop,dc=com</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.base</name>
        <value>dc=hadoop,dc=com</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.search.filter.group</name>
        <value>(objectClass=groupOfNames)</value>
    </param>
    <param>
        <name>hadoop.security.group.mapping.ldap.search.filter.user</name>
        <value>(&amp;(objectClass=inetOrgPerson)(cn={0}))</value>
    </param>
</provider>

       

      Regarding the Apache Ranger plugin, this setting allows Ranger plugin to distinguish correctly the user and its groups (stored in LDAP server) when accessing a specific topology, and then access if that user has the right to access or not. 

       

      However, with HDFS WebUI, this setting leads to the error:

      Failed to obtain user group information: org.apache.hadoop.security.authorize.AuthorizationException: User: test is not allowed to impersonate test

      It appears to requires the impersonation privilege for this user for obtaining user group information. Clearly, we can enable the impersonation privilege for this specific user just to pass the test. But in production, we have hundreds to thousands of users, and we just cannot and must not give impersonation privilege for all of those users who has the right to access HDFS Web UI.

       

      Could you please take a look into this issue and shed some light on the topic?!

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            tiendatphan Tien Dat
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: