User impersonnation not working with ozone httpfs

[sinedTr]

Hello, I'm trying to make ozone httpfs work through apache knox. I'm getting this error message when testing with curl :

curl -k --negotiate -u : "https://knox-url.com/sandbox/main/webhdfs/v1/?op=LISTSTATUS" {"RemoteException":{"message":"User: knox/master4.local@REALM is not allowed to impersonate user01","exception":"AuthorizationException","javaClassName":"org.apache.hadoop.security.authorize.AuthorizationException"}}

I have these proxyuser settings in httpfs-site.xml :

<property><name>hadoop.proxyuser.knoxuser.hosts</name><value>*</value></property> <property><name>hadoop.proxyuser.knoxuser.groups</name><value>*</value></property>

The error message indicates the SPN was not converted to the user name with auth_to_local rules so I checked the auth_to_local rules and confirmed they are set :

curl -s --negotiate -u : "https://master2.local:14000/conf" | grep RULE <property><name>hadoop.security.auth_to_local</name><value>RULE:[1:$1@$0](knox@REALM)s/.*/knoxuser/ RULE:[2:$1@$0](knox@REALM)s/.*/knoxuser/ DEFAULT</value><final>false</final><source>core-site.xml</source></property>

ozone httpfs works fine when not going through knox.
Am I doing something wrong or could this be a bug ?

[jojochuang]

Not sure who can answer this -- @dombizita or @fapifta ?
Please note this is holiday week and the response may be delayed.

Also, try adding the proxyuser configurations in core-site.xml instead of httpfs-site.xml. Example:

ozone/hadoop-ozone/dist/src/main/compose/common/security.conf

Line 18 in 8651aa4

CORE-SITE.XML_hadoop.proxyuser.httpfs.hosts=*

[sinedTr]

Proxyuser confs are now in core-site.xml instead of httpfs-site.xml but the issue remains