knox-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Roberts <srobe...@hortonworks.com>
Subject Re: Impersonate/ProxyUser through Knox?
Date Sat, 01 Sep 2018 19:30:09 GMT
Larry – How about inheriting so the user has the same rights they would have if talking directly
to the service.

Example:

hadoop.proxyuser.someservice.users=larry,sean

That enables ‘someservice’ to impersonate larry & sean for services which use core-site:hadoop.proxyuser.

When talking to any of those services through Knox it could make sense for Knox to respect
that configuration, allowing them to impersonate for those services&users though Knox.

--
Sean Roberts

From: larry mccay <lmccay@apache.org>
Reply-To: "user@knox.apache.org" <user@knox.apache.org>
Date: Saturday, 1 September 2018 at 20:21
To: "user@knox.apache.org" <user@knox.apache.org>
Subject: Re: Impersonate/ProxyUser through Knox?

Hi Sean -

The mechanism for doing such impersonation is through identity assertion providers.
We have a number of them out of the box.

In order to do this with the same sort of validation and trust configuration, a new one would
likely be needed that took such configuration.
You would then assert the effective user as the user in the header or query param that you
are checking.

I don't think that using the typical user.name<http://user.name> or doas query params
will work since we currently scrub any incoming requests of such impersonation attempts as
it could be an attempt to spoof another identity by the client.

We could also look into providing the trusted proxy config on top of the HadoopAuthProvider
but that would make such impersonation be tightly coupled to that provider. Maybe that makes
sense since it is a Hadoop specific pattern but at the same time - much of the use of Knox
is to avoid having to use kerberos.

Anyway, you can certainly file a JIRA for a feature and we can discuss the usecases more in
depth there.

thanks,

--larry

On Fri, Aug 31, 2018 at 5:04 PM Sean Roberts <sroberts@hortonworks.com<mailto:sroberts@hortonworks.com>>
wrote:
David – Would you agree that this is a valid feature request?

Hortonworks docs suggest replacing HttpFs with Knox, but this is a use case where Knox cannot
replace HttpFs which has its own proxyuser functionality.


--
Sean Roberts

From: David Villarreal <dvillarreal@hortonworks.com<mailto:dvillarreal@hortonworks.com>>
Date: Friday, 31 August 2018 at 21:38
To: Sean Roberts <sroberts@hortonworks.com<mailto:sroberts@hortonworks.com>>,
"user@knox.apache.org<mailto:user@knox.apache.org>" <user@knox.apache.org<mailto:user@knox.apache.org>>
Subject: Re: Impersonate/ProxyUser through Knox?

Hi Sean,

Proxy/Impersonation is configured on the Hadoop side.  And knox user/principal impersonates
users.  I think the answer to this question is no….   Knox does not have its own proxy impersonation
provider.

What I know Knox does have is
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/knox_configuring_identity_assertion.html
http://kminder.github.io/knox/2015/11/20/identity-assertion.html
http://knox.apache.org/books/knox-1-1-0/user-guide.html#Identity+Assertion


From: Sean Roberts <sroberts@hortonworks.com<mailto:sroberts@hortonworks.com>>
Date: Friday, August 31, 2018 at 12:43 PM
To: "user@knox.apache.org<mailto:user@knox.apache.org>" <user@knox.apache.org<mailto:user@knox.apache.org>>
Subject: Impersonate/ProxyUser through Knox?

Knox experts – Does Knox provide impersonation/proxyuser functionality like direct WebHDFS
connections (hadoop.proxyuser.service-user.users) and HttpFS (httpfs.proxyuser.service-user.users)?

For example:

-          “service-user” authenticates to Knox, then requests to run commands as “normal-user”.

--
Sean Roberts
Mime
View raw message