Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-440

HttpFS impersonation issue

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 0.4.0
    • None
    • Site

    Description

      When NameNode High Availability is enabled, KNOX should be integrated with HttpFS, not WebHDFS. KNOX puts 'doAs=username' to impersonate a user against HttpFS. Problem is that HttpFS does not recognize 'doAs', resulting int the following error.

      client:
      $ hdfs dfs -ls /user/rob/hello
      r------- 3 rob stark 6 2014-10-02 09:19 /user/rob/hello
      $ curl -iLk -u rob -X GET "https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN"
      Enter host password for user 'rob':
      HTTP/1.1 500 Server Error
      Set-Cookie: JSESSIONID=u5grw7n8xe3x19o7wuxwpai3k;Path=/gateway/amber;Secure;HttpOnly
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Server: Apache-Coyote/1.1
      Date: Mon, 13 Oct 2014 03:47:47 GMT
      Content-Type: application/json
      Connection: close

      {"RemoteException":{"message":"Permission denied: user=knox, access=READ, inode=\"/user/rob/hello\":rob:stark:r-------","exception":"AccessControlException","javaClassName":"org.apache.hadoop.security.AccessControlException"}}

      tail -f $KNOX/logs/gateway.log

      2014-10-13 12:47:47,169 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(110)) - Received request: GET /webhdfs/v1/user/rob/hello?op=OPEN
      2014-10-13 12:47:47,596 INFO realm.AuthorizingRealm (AuthorizingRealm.java:getAuthorizationCacheLazy(248)) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained.
      2014-10-13 12:47:47,635 DEBUG hadoop.gateway (UrlRewriteProcessor.java:rewrite(157)) - Rewrote URL: https://master-9.amber.gbcl.net:8443/gateway/amber/webhdfs/v1/user/rob/hello?op=OPEN, direction: IN via explicit rule: WEBHDFS/webhdfs/inbound/namenode/file to URL: http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?op=OPEN
      2014-10-13 12:47:47,653 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: /, direction: IN
      2014-10-13 12:47:47,654 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2, direction: IN
      2014-10-13 12:47:47,656 DEBUG hadoop.gateway (HttpClientDispatch.java:executeRequest(104)) - Dispatch request: GET http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
      2014-10-13 12:47:47,934 DEBUG hadoop.gateway (AppCookieManager.java:getAppCookie(139)) - Successful Knox->Hadoop SPNegotiation authentication for URL: http://master-9.amber.gbcl.net:14000/webhdfs/v1/user/rob/hello?doAs=rob&op=OPEN
      2014-10-13 12:47:48,005 DEBUG hadoop.gateway (HttpClientDispatch.java:executeRequest(131)) - Dispatch response status: 500
      2014-10-13 12:47:48,007 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Apache-Coyote/1.1, direction: OUT
      2014-10-13 12:47:48,007 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: application/json, direction: OUT
      2014-10-13 12:47:48,008 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: chunked, direction: OUT
      2014-10-13 12:47:48,008 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Mon, 13 Oct 2014 03:47:47 GMT, direction: OUT
      2014-10-13 12:47:48,009 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: close, direction: OUT
      2014-10-13 12:47:48,030 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: Permission denied: user=knox, access=READ, inode="/user/rob/hello":rob:stark:r-------, direction: OUT
      2014-10-13 12:47:48,030 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: AccessControlException, direction: OUT
      2014-10-13 12:47:48,031 TRACE hadoop.gateway (UrlRewriteProcessor.java:rewrite(168)) - No rule matching URL: org.apache.hadoop.security.AccessControlException, direction: OUT

      According to WebHDFS specification, correct variable name is 'doas'.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-11083 After refactoring of HTTP proxyuser to common, doAs param is case sensitive

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-11200 HttpFS proxyuser, doAs param is case sensitive

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              jaehoon13.ko jaehoon ko
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: