From user-return-1177-archive-asf-public=cust-asf.ponee.io@knox.apache.org Sat Sep 1 21:21:37 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4680B180630 for ; Sat, 1 Sep 2018 21:21:37 +0200 (CEST) Received: (qmail 27108 invoked by uid 500); 1 Sep 2018 19:21:36 -0000 Mailing-List: contact user-help@knox.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@knox.apache.org Delivered-To: mailing list user@knox.apache.org Received: (qmail 27099 invoked by uid 99); 1 Sep 2018 19:21:36 -0000 Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Sep 2018 19:21:36 +0000 Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 1BE222070 for ; Sat, 1 Sep 2018 19:21:35 +0000 (UTC) Received: by mail-lj1-f176.google.com with SMTP id q127-v6so12504874ljq.11 for ; Sat, 01 Sep 2018 12:21:35 -0700 (PDT) X-Gm-Message-State: APzg51DkIVK4+O9ngbHgbeKmg8/6YwqvvN1Zd2q9ZsC9Qj5byJTG08r+ B/tO6TsCy4JsRhgJJOii0R/1J8UT8ocI9ULViKI= X-Google-Smtp-Source: ANB0Vda+RpP5S0DKVBx6WdpiogJTv5Gt/4kHfxvJ7Aan+VPYYbPoDUzRn2Mpmd5Mse4+sRv6aP1HnkNKzfFNLqW9/lg= X-Received: by 2002:a2e:6c17:: with SMTP id h23-v6mr13068956ljc.81.1535829693819; Sat, 01 Sep 2018 12:21:33 -0700 (PDT) MIME-Version: 1.0 References: <4C0A42D4-8D11-467C-B260-13D702C553EA@hortonworks.com> <8761AD44-BB09-4849-ADE7-DD7A44AA4F68@hortonworks.com> In-Reply-To: <8761AD44-BB09-4849-ADE7-DD7A44AA4F68@hortonworks.com> From: larry mccay Date: Sat, 1 Sep 2018 15:21:22 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Impersonate/ProxyUser through Knox? To: user@knox.apache.org Content-Type: multipart/alternative; boundary="00000000000055f2880574d43752" --00000000000055f2880574d43752 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Sean - The mechanism for doing such impersonation is through identity assertion providers. We have a number of them out of the box. In order to do this with the same sort of validation and trust configuration, a new one would likely be needed that took such configuration. You would then assert the effective user as the user in the header or query param that you are checking. I don't think that using the typical user.name or doas query params will work since we currently scrub any incoming requests of such impersonation attempts as it could be an attempt to spoof another identity by the client. We could also look into providing the trusted proxy config on top of the HadoopAuthProvider but that would make such impersonation be tightly coupled to that provider. Maybe that makes sense since it is a Hadoop specific pattern but at the same time - much of the use of Knox is to avoid having to use kerberos. Anyway, you can certainly file a JIRA for a feature and we can discuss the usecases more in depth there. thanks, --larry On Fri, Aug 31, 2018 at 5:04 PM Sean Roberts wrote: > David =E2=80=93 Would you agree that this is a valid feature request? > > > > Hortonworks docs suggest replacing HttpFs with Knox, but this is a use > case where Knox cannot replace HttpFs which has its own proxyuser > functionality. > > > > > > -- > > Sean Roberts > > > > *From: *David Villarreal > *Date: *Friday, 31 August 2018 at 21:38 > *To: *Sean Roberts , "user@knox.apache.org" < > user@knox.apache.org> > *Subject: *Re: Impersonate/ProxyUser through Knox? > > > > Hi Sean, > > > > Proxy/Impersonation is configured on the Hadoop side. And knox > user/principal impersonates users. I think the answer to this question i= s > no=E2=80=A6. Knox does not have its own proxy impersonation provider. > > > > What I know Knox does have is > > > https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/cont= ent/knox_configuring_identity_assertion.html > > http://kminder.github.io/knox/2015/11/20/identity-assertion.html > > http://knox.apache.org/books/knox-1-1-0/user-guide.html#Identity+Assertio= n > > > > > > *From: *Sean Roberts > *Date: *Friday, August 31, 2018 at 12:43 PM > *To: *"user@knox.apache.org" > *Subject: *Impersonate/ProxyUser through Knox? > > > > Knox experts =E2=80=93 Does Knox provide impersonation/proxyuser function= ality > like direct WebHDFS connections *(hadoop.proxyuser.service-user.users)* > and HttpFS *(httpfs.proxyuser.service-user.users)*? > > > > For example: > > - =E2=80=9Cservice-user=E2=80=9D authenticates to Knox, then req= uests to run > commands as =E2=80=9Cnormal-user=E2=80=9D. > > > > -- > > Sean Roberts > --00000000000055f2880574d43752 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Sean -

The mechanism for doing such = impersonation is through identity assertion providers.
We have a = number of them out of the box.

In order to do this= with the same sort of validation and trust configuration, a new one would = likely be needed that took such configuration.
You would then ass= ert the effective user as the user in the header or query param that you ar= e checking.

I don't think that using the typic= al user.name or doas query params will wor= k since we currently scrub any incoming requests of such impersonation atte= mpts as it could be an attempt to spoof another identity by the client.

We could also look into providing the trusted proxy c= onfig on top of the HadoopAuthProvider but that would make such impersonati= on be tightly coupled to that provider. Maybe that makes sense since it is = a Hadoop specific pattern but at the same time - much of the use of Knox is= to avoid having to use kerberos.

Anyway, you can = certainly file a JIRA for a feature and we can discuss the usecases more in= depth there.

thanks,

--l= arry

On Fri, Aug= 31, 2018 at 5:04 PM Sean Roberts <sroberts@hortonworks.com> wrote:

Davi= d =E2=80=93 Would you agree that this is a valid feature request?=

<= /u>=C2=A0

Hort= onworks docs suggest replacing HttpFs with Knox, but this is a use case whe= re Knox cannot replace HttpFs which has its own proxyuser functionality.=

<= /u>=C2=A0

<= /u>=C2=A0

--=C2=A0<= /u>

Sean= Roberts

<= /u>=C2=A0

From: David Villarreal <dvillarreal@hortonworks.c= om>
Date: Friday, 31 August 2018 at 21:38
To: Sean Roberts <sroberts@hortonworks.com>, "user@knox.apache.org" <user@knox.apache.or= g>
Subject: Re: Impersonate/ProxyUser through Knox?

=C2=A0

Hi Sean,

=C2=A0

Proxy/Impersonation is configured on the Hadoop side.=C2=A0 And k= nox user/principal impersonates users.=C2=A0 I think the answer to this que= stion is no=E2=80=A6.=C2=A0 =C2=A0Knox does not have its own proxy impersonation provider.

=C2=A0

What I know Knox does have is

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_securit= y/content/knox_configuring_identity_assertion.html=

http://kminder.github.io/knox/2015/11/20/iden= tity-assertion.html

http://knox.apache.org/books/knox-1= -1-0/user-guide.html#Identity+Assertion

=C2=A0

=C2=A0

From: Sean Roberts <sroberts@hortonworks.com>=
Date: Friday, August 31, 2018 at 12:43 PM
To: "= user@knox.apache.org" <user@knox.apache.org>
Subject: Impersonate/ProxyUser through Knox?

=C2=A0

Knox experts =E2=80=93 Does Knox provide impersonation/proxyuser = functionality like direct WebHDFS connections (hadoop.proxyuser.service-user.users) and HttpFS (httpfs.proxyuse= r.service-user.users)?

=C2=A0

For example:

-=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =E2=80=9Cservice-user= =E2=80=9D authenticates to Knox, then requests to run commands as =E2=80=9C= normal-user=E2=80=9D.

=C2=A0

--=C2=A0

Sean Roberts

--00000000000055f2880574d43752--