Quantcast
Channel: Hortonworks » All Replies
Viewing all articles
Browse latest Browse all 3435

Reply To: cliservice does not respect user assertion done by Knox

$
0
0

Ok. Some further digging.

In Knox (org.apache.hadoop.gateway.hive.HiveDispatch) I found the code that adds the principal to the header:

 protected void addCredentialsToRequest(HttpUriRequest request) {
if( isBasicAuthPreemptive() ) {
Principal principal = getPrimaryPrincipal();
if( principal != null ) {

UsernamePasswordCredentials credentials =
new UsernamePasswordCredentials( principal.getName(), PASSWORD_PLACEHOLDER );

request.addHeader(BasicScheme.authenticate(credentials,"US-ASCII",false));
}
}
}

Here I would have expected code that used the asserted principal, if there is one. So, to me, it seems that Knox should be fixed. My mind goes: We use principal assertion because we do not want to expose the external users to the cluster. Then, Knox should not use the external principal in any dealings with the cluster. I therefore think Knox should be fixed.


Viewing all articles
Browse latest Browse all 3435

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>