Skip to content

KNOX-2831 - Make Hadoop impersonation work across topologies and roles with different proxyuser configs#660

Merged
smolnar82 merged 1 commit intoapache:masterfrom
smolnar82:KNOX-2831
Oct 28, 2022
Merged

KNOX-2831 - Make Hadoop impersonation work across topologies and roles with different proxyuser configs#660
smolnar82 merged 1 commit intoapache:masterfrom
smolnar82:KNOX-2831

Conversation

@smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Oct 27, 2022
edited
Loading

What changes were proposed in this pull request?

Prior to my changes, both Knox's HadoopAuthFilter and TokenResource classes used Hadoop's ProxyUsers class that maintains a static ImpersonationProvider instance and invokes delegation methods on that. Subsequent ProxyUsers.refreshSuperUserGroupsConfiguration calls overwrite this impersonation provider. This causes a problem in the following cases:

  • end-users have multiple Knox topologies where token impersonation enabled with different proxyuser configurations in the KNOXTOKEN service
  • even in the same topology if the authentication method is Kerberos (thus we have the HadoopAuth filter enabled and configured) and the KNOXTOKEN service with impersonation enabled with another proxuyser configuration

The solution is to eliminate the need for this static ProxyUsers factory and have the ImpersonationProvider instances created and stored in a map on topology/role level.

How was this patch tested?

After deploying Knox with y changes, I duplicated the the homepage topology and re-configured the proxyuser settings:

  • homepage.xml - admin can impersonate anyone
      <param>
          <name>knox.token.impersonation.enabled</name>
          <value>true</value>
      </param>
      <param>
          <name>knox.token.proxyuser.admin.users</name>
          <value>*</value>
      </param>
      <param>
          <name>knox.token.proxyuser.admin.groups</name>
          <value>*</value>
      </param>
      <param>
          <name>knox.token.proxyuser.admin.hosts</name>
          <value>*</value>
      </param>
  • homepage_2.xml - guest can impersonate anyone
      <param>
          <name>knox.token.impersonation.enabled</name>
          <value>true</value>
      </param>
      <param>
          <name>knox.token.proxyuser.guest.users</name>
          <value>*</value>
      </param>
      <param>
          <name>knox.token.proxyuser.guest.groups</name>
          <value>*</value>
      </param>
      <param>
          <name>knox.token.proxyuser.guest.hosts</name>
          <value>*</value>
      </param>

Then I generated impersonated tokens foruser1 and user2 on behalf of the admin user using the homepage topology and on behalf of the guest user using the homepage_2 topology. All tokens were generated successfully (as opposed to what I experienced before my changes; see the KNOX-2831):

postgres=> select * from knox_tokens kt, knox_token_metadata meta where kt.token_id = meta.token_id ORDER by kt.issue_time;
               token_id               |  issue_time   |  expiration   | max_lifetime  |               token_id               |  md_name  |                                           md_value                                           
--------------------------------------+---------------+---------------+---------------+--------------------------------------+-----------+----------------------------------------------------------------------------------------------
 2b107f91-6808-40c4-a21c-2f0cd7b0517a | 1666863575514 | 1666899575273 | 1667468375514 | 2b107f91-6808-40c4-a21c-2f0cd7b0517a | passcode  | 77+977+9aN+f3aHvv71oUkwO77+977+9WRvvv73vv73vv70A77+9Fe+/vS3vv70Q77+977+9UAx977+9
 2b107f91-6808-40c4-a21c-2f0cd7b0517a | 1666863575514 | 1666899575273 | 1667468375514 | 2b107f91-6808-40c4-a21c-2f0cd7b0517a | enabled   | true
 2b107f91-6808-40c4-a21c-2f0cd7b0517a | 1666863575514 | 1666899575273 | 1667468375514 | 2b107f91-6808-40c4-a21c-2f0cd7b0517a | createdBy | guest
 2b107f91-6808-40c4-a21c-2f0cd7b0517a | 1666863575514 | 1666899575273 | 1667468375514 | 2b107f91-6808-40c4-a21c-2f0cd7b0517a | userName  | user2
 2b107f91-6808-40c4-a21c-2f0cd7b0517a | 1666863575514 | 1666899575273 | 1667468375514 | 2b107f91-6808-40c4-a21c-2f0cd7b0517a | comment   | guest token for user2
 aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | 1666863636583 | 1666899636571 | 1667468436583 | aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | passcode  | au+/vdKt77+977+9Au+/ve+/ve+/ve+/vXrvv71Z77+9K++/vRPvv73vv73vv73vv73GnO+/vWTvv73vv70SLO+/vQ==
 aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | 1666863636583 | 1666899636571 | 1667468436583 | aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | enabled   | true
 aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | 1666863636583 | 1666899636571 | 1667468436583 | aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | createdBy | admin
 aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | 1666863636583 | 1666899636571 | 1667468436583 | aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | userName  | user1
 aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | 1666863636583 | 1666899636571 | 1667468436583 | aa8dc15e-3253-4b49-ac65-97d7db1af1c3 | comment   | admin token for user1
 e51e760f-1df7-4341-92aa-9a9b73a9cab5 | 1666863653051 | 1666899653040 | 1667468453051 | e51e760f-1df7-4341-92aa-9a9b73a9cab5 | passcode  | Mng777+977+9ZSBp77+9YRDvv718xLnvv70NTBlGbzDvv71w77+9O++/vcSB77+9UXg=
 e51e760f-1df7-4341-92aa-9a9b73a9cab5 | 1666863653051 | 1666899653040 | 1667468453051 | e51e760f-1df7-4341-92aa-9a9b73a9cab5 | enabled   | true
 e51e760f-1df7-4341-92aa-9a9b73a9cab5 | 1666863653051 | 1666899653040 | 1667468453051 | e51e760f-1df7-4341-92aa-9a9b73a9cab5 | createdBy | guest
 e51e760f-1df7-4341-92aa-9a9b73a9cab5 | 1666863653051 | 1666899653040 | 1667468453051 | e51e760f-1df7-4341-92aa-9a9b73a9cab5 | userName  | user2
 e51e760f-1df7-4341-92aa-9a9b73a9cab5 | 1666863653051 | 1666899653040 | 1667468453051 | e51e760f-1df7-4341-92aa-9a9b73a9cab5 | comment   | 2nd guest token for user2
 fe678d59-aaea-430e-8b2f-e3471cc65e29 | 1666863684763 | 1666899684752 | 1667468484763 | fe678d59-aaea-430e-8b2f-e3471cc65e29 | passcode  | aSdFBjfvv70abE8I77+9cGVx77+9Re+/ve+/vVIS77+93otX26nvv71NFB3vv70=
 fe678d59-aaea-430e-8b2f-e3471cc65e29 | 1666863684763 | 1666899684752 | 1667468484763 | fe678d59-aaea-430e-8b2f-e3471cc65e29 | enabled   | true
 fe678d59-aaea-430e-8b2f-e3471cc65e29 | 1666863684763 | 1666899684752 | 1667468484763 | fe678d59-aaea-430e-8b2f-e3471cc65e29 | createdBy | admin
 fe678d59-aaea-430e-8b2f-e3471cc65e29 | 1666863684763 | 1666899684752 | 1667468484763 | fe678d59-aaea-430e-8b2f-e3471cc65e29 | userName  | user1
 fe678d59-aaea-430e-8b2f-e3471cc65e29 | 1666863684763 | 1666899684752 | 1667468484763 | fe678d59-aaea-430e-8b2f-e3471cc65e29 | comment   | 2nd admin token for user1
 860bf063-8088-44b5-9b91-dc1ba098ede6 | 1666864008506 | 1666900008479 | 1667468808506 | 860bf063-8088-44b5-9b91-dc1ba098ede6 | passcode  | 77+977+9CBsreu+/vVotLwZ677+9D++/ve+/ve+/vXTvv71mHO+/vSLRjCA5U3/vv70=
 860bf063-8088-44b5-9b91-dc1ba098ede6 | 1666864008506 | 1666900008479 | 1667468808506 | 860bf063-8088-44b5-9b91-dc1ba098ede6 | enabled   | true
 860bf063-8088-44b5-9b91-dc1ba098ede6 | 1666864008506 | 1666900008479 | 1667468808506 | 860bf063-8088-44b5-9b91-dc1ba098ede6 | createdBy | guest
 860bf063-8088-44b5-9b91-dc1ba098ede6 | 1666864008506 | 1666900008479 | 1667468808506 | 860bf063-8088-44b5-9b91-dc1ba098ede6 | userName  | user2
 860bf063-8088-44b5-9b91-dc1ba098ede6 | 1666864008506 | 1666900008479 | 1667468808506 | 860bf063-8088-44b5-9b91-dc1ba098ede6 | comment   | 3rd guest token for user2
 c733ee76-622c-4a19-ad4e-fed262ef9d01 | 1666864017664 | 1666900017652 | 1667468817664 | c733ee76-622c-4a19-ad4e-fed262ef9d01 | passcode  | S9WyKmnvv73vv73vv73vv73vv70z77+977+977+9NlDvv73vv73vv73vv70N77+9SBTvv71077+9WSPvv73vv70=
 c733ee76-622c-4a19-ad4e-fed262ef9d01 | 1666864017664 | 1666900017652 | 1667468817664 | c733ee76-622c-4a19-ad4e-fed262ef9d01 | enabled   | true
 c733ee76-622c-4a19-ad4e-fed262ef9d01 | 1666864017664 | 1666900017652 | 1667468817664 | c733ee76-622c-4a19-ad4e-fed262ef9d01 | createdBy | guest
 c733ee76-622c-4a19-ad4e-fed262ef9d01 | 1666864017664 | 1666900017652 | 1667468817664 | c733ee76-622c-4a19-ad4e-fed262ef9d01 | userName  | user1
 c733ee76-622c-4a19-ad4e-fed262ef9d01 | 1666864017664 | 1666900017652 | 1667468817664 | c733ee76-622c-4a19-ad4e-fed262ef9d01 | comment   | guest token for user1
 392cabee-e9d3-491a-9edf-97974749ffad | 1666864038730 | 1666900038554 | 1667468838730 | 392cabee-e9d3-491a-9edf-97974749ffad | passcode  | Qe+/veePjUHvv73vv70077+9O0nvv73vv73ak3nvv73vv71K77+9au+/ve+/ve+/vUYfeBTvv73vv71T
 392cabee-e9d3-491a-9edf-97974749ffad | 1666864038730 | 1666900038554 | 1667468838730 | 392cabee-e9d3-491a-9edf-97974749ffad | enabled   | true
 392cabee-e9d3-491a-9edf-97974749ffad | 1666864038730 | 1666900038554 | 1667468838730 | 392cabee-e9d3-491a-9edf-97974749ffad | createdBy | admin
 392cabee-e9d3-491a-9edf-97974749ffad | 1666864038730 | 1666900038554 | 1667468838730 | 392cabee-e9d3-491a-9edf-97974749ffad | userName  | user1
 392cabee-e9d3-491a-9edf-97974749ffad | 1666864038730 | 1666900038554 | 1667468838730 | 392cabee-e9d3-491a-9edf-97974749ffad | comment   | 3rd test token for user1
 e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | 1666864047038 | 1666900047026 | 1667468847038 | e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | passcode  | Ie+/vSrvv73vv73vv71ARBrvv71E77+9au+/vTTvv73vv718Ve+/ve+/vVDvv73vv70iYwTvv71wIijvv70=
 e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | 1666864047038 | 1666900047026 | 1667468847038 | e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | enabled   | true
 e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | 1666864047038 | 1666900047026 | 1667468847038 | e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | createdBy | admin
 e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | 1666864047038 | 1666900047026 | 1667468847038 | e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | userName  | user2
 e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | 1666864047038 | 1666900047026 | 1667468847038 | e5b99abb-82ba-4b7f-982a-380fd1d4aa89 | comment   | admin token for user2
(40 rows)

@smolnar82 smolnar82 self-assigned this Oct 27, 2022
zeroflag
zeroflag approved these changes Oct 27, 2022
View reviewed changes
Copy link
Contributor

@zeroflag zeroflag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@smolnar82 smolnar82 requested a review from pzampino October 27, 2022 12:01
@smolnar82 smolnar82 merged commit ebac40d into apache:master Oct 28, 2022
@smolnar82 smolnar82 deleted the KNOX-2831 branch October 28, 2022 06:50
stoty pushed a commit to stoty/knox that referenced this pull request May 14, 2024
@smolnar82
CDPD-46150 KNOX-2831 - Make Hadoop impersonation work across topologi…
6315949 
…es and roles with different proxyuser configs (apache#660)

Change-Id: I66ea36da03e6a65b1dd04a1c93283eabad90c5b1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zeroflag zeroflag zeroflag approved these changes

@moresandeep moresandeep Awaiting requested review from moresandeep

@pzampino pzampino Awaiting requested review from pzampino

Assignees

@smolnar82 smolnar82

Labels

HadoopAuth impersonation knoxtoken

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@smolnar82 @zeroflag