I found org.apache.hadoop.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter that filters http streams into and out of Knox. This is where the mapping happens and where parameters are set before the data is sent to the backend services.
The identity assertion wrapper is org.apache.hadoop.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper. There I found:
public String getQueryString() {
String q = null;
Map<String, String[]> params = getParams();
if (params == null) {
params = new HashMap<String, String[]>();
}
ArrayList<String> al = new ArrayList<String>();
al.add(username);
String[] a = { "" };
if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
params.remove(PRINCIPAL_PARAM);
} else {
params.put(PRINCIPAL_PARAM, al.toArray(a));
}
String encoding = getCharacterEncoding();
if (encoding == null) {
encoding = Charset.defaultCharset().name();
}
q = urlEncode(params, encoding);
return q;
}So it checks if the cluster is Kerberos secured. If it is, it passes a doAs query parameter with the asserted username. If it is not (as in our case) it reverts back to user.name as the query parameter.
The problem is that Hive does not look for query parameters. It looks at the authentication header in the HTTP stream. These are not changed in the IdentityAsserterHttpServletRequestWrapper and Hive does not look at user.name, the query parameter.
I am still convinced we should solve this at Knox — there we should pass the asserted identity into the HTTP header.