knox-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From larry mccay <lmc...@apache.org>
Subject Re: Impersonate/ProxyUser through Knox?
Date Sat, 01 Sep 2018 19:21:22 GMT
Hi Sean -

The mechanism for doing such impersonation is through identity assertion
providers.
We have a number of them out of the box.

In order to do this with the same sort of validation and trust
configuration, a new one would likely be needed that took such
configuration.
You would then assert the effective user as the user in the header or query
param that you are checking.

I don't think that using the typical user.name or doas query params will
work since we currently scrub any incoming requests of such impersonation
attempts as it could be an attempt to spoof another identity by the client.

We could also look into providing the trusted proxy config on top of the
HadoopAuthProvider but that would make such impersonation be tightly
coupled to that provider. Maybe that makes sense since it is a Hadoop
specific pattern but at the same time - much of the use of Knox is to avoid
having to use kerberos.

Anyway, you can certainly file a JIRA for a feature and we can discuss the
usecases more in depth there.

thanks,

--larry

On Fri, Aug 31, 2018 at 5:04 PM Sean Roberts <sroberts@hortonworks.com>
wrote:

> David – Would you agree that this is a valid feature request?
>
>
>
> Hortonworks docs suggest replacing HttpFs with Knox, but this is a use
> case where Knox cannot replace HttpFs which has its own proxyuser
> functionality.
>
>
>
>
>
> --
>
> Sean Roberts
>
>
>
> *From: *David Villarreal <dvillarreal@hortonworks.com>
> *Date: *Friday, 31 August 2018 at 21:38
> *To: *Sean Roberts <sroberts@hortonworks.com>, "user@knox.apache.org" <
> user@knox.apache.org>
> *Subject: *Re: Impersonate/ProxyUser through Knox?
>
>
>
> Hi Sean,
>
>
>
> Proxy/Impersonation is configured on the Hadoop side.  And knox
> user/principal impersonates users.  I think the answer to this question is
> no….   Knox does not have its own proxy impersonation provider.
>
>
>
> What I know Knox does have is
>
>
> https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/knox_configuring_identity_assertion.html
>
> http://kminder.github.io/knox/2015/11/20/identity-assertion.html
>
> http://knox.apache.org/books/knox-1-1-0/user-guide.html#Identity+Assertion
>
>
>
>
>
> *From: *Sean Roberts <sroberts@hortonworks.com>
> *Date: *Friday, August 31, 2018 at 12:43 PM
> *To: *"user@knox.apache.org" <user@knox.apache.org>
> *Subject: *Impersonate/ProxyUser through Knox?
>
>
>
> Knox experts – Does Knox provide impersonation/proxyuser functionality
> like direct WebHDFS connections *(hadoop.proxyuser.service-user.users)*
> and HttpFS *(httpfs.proxyuser.service-user.users)*?
>
>
>
> For example:
>
> -          “service-user” authenticates to Knox, then requests to run
> commands as “normal-user”.
>
>
>
> --
>
> Sean Roberts
>

Mime
View raw message