Support Questions

Find answers, ask questions, and share your expertise

Can someone help me understand Knox impersonation

avatar
Contributor

I have user as 'knox' on hadoop cluster (Kerberos enabled). I am running Demo LDAP for Knox authentication.

My proxy settings in core-site.xml:

hadoop.proxyuser.knox.groups = users

hadoop.proxyuser.knox.hosts = [myhadoopMasterNode_Hostname]

Now I am trying to run curl command using username 'guest' and pwd 'guest-password' from users.ldif file.

This is giving error: knox is not able to impersonate guest.

Then I changed this property: hadoop.proxyuser.knox.groups=*. I am able to run curl command successfully.

Please help me understand two things:

1) How this property(hadoop.proxyuser.knox.groups) setting is working>

2) Can identity-assertion property in topology file can help resolving this same issue?

1 ACCEPTED SOLUTION

avatar
Rising Star

This is because 'guest' user in the Demo Ldap does not belong to group "users". For this to work you should create a group "users" in the demo ldap (users.ldif) and add guest user to it. You could try to impersonate 'guest' to a user who belongs to 'users' group on the machine.

View solution in original post

1 REPLY 1

avatar
Rising Star

This is because 'guest' user in the Demo Ldap does not belong to group "users". For this to work you should create a group "users" in the demo ldap (users.ldif) and add guest user to it. You could try to impersonate 'guest' to a user who belongs to 'users' group on the machine.