Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2839

Refactor impersonation from KnoxToken service

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • None
    • 2.0.0
    • Server
    • None

    Description

      With KNOX-2714, end-users can create tokens on behalf of other users using Hadoop's impersonation mechanism.

      The problem with the current implementation is that the proxyuser authorization happens to be on service level, but it should be executed sooner.

      As discussed offline with lmccay and pzampino we agreed on the following:

      • impersonation support should be done in Knox's identity assertion layer and not in the services
      • the proxuyser authorization in HadoopAuth filter should be left as-is. When someone configures them in two places (HadoopAuth authentication and in identity-assertion), a WARN-level message should indicate that one on the identity-assertion level will be ignored.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. KNOX-2856 Document changes in KNOX-2839

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #681

          Activity

            People

              smolnar Sandor Molnar
              smolnar Sandor Molnar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 5h 50m
                  5h 50m