Ok. Some further digging.
In Knox (org.apache.hadoop.gateway.hive.HiveDispatch) I found the code that adds the principal to the header:
protected void addCredentialsToRequest(HttpUriRequest request) {
if( isBasicAuthPreemptive() ) {
Principal principal = getPrimaryPrincipal();
if( principal != null ) {
UsernamePasswordCredentials credentials =
new UsernamePasswordCredentials( principal.getName(), PASSWORD_PLACEHOLDER );
request.addHeader(BasicScheme.authenticate(credentials,"US-ASCII",false));
}
}
}
Here I would have expected code that used the asserted principal, if there is one. So, to me, it seems that Knox should be fixed. My mind goes: We use principal assertion because we do not want to expose the external users to the cluster. Then, Knox should not use the external principal in any dealings with the cluster. I therefore think Knox should be fixed.