Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

It is possible to prevent spnego on each knox access ?

It is possible to prevent spnego on each knox access ?

Explorer

I'm using a tomcat service with the Authentication filter defined as I found in this documentation.

https://hadoop.apache.org/docs/stable/hadoop-auth/Configuration.html

I have defined a service.xml and rewrite.xml :

<service role="MyService" name="HTTPListener" version="0.0.1">
<routes>
<route path="/HTTPListener/?**"/>
<route path="/HTTPListener/**?**"/>
</routes>
</service>

<rules>
<rule dir="IN" name="MyService/HTTPListener/path/inbound" pattern="*://*:*/**/HTTPListener/{path=**}?{**}">
<rewrite template="{$serviceUrl[MyService]}/{path=**}?{**}"/>
</rule>
<rule dir="IN" name="MyService/HTTPListener/path2/inbound" pattern="*://*:*/**/HTTPListener/?{**}">
<rewrite template="{$serviceUrl[MyService]}/?{**}"/>
</rule>
</rules>

It works, but I'm trying to re-use the HTTP connection for performance reasons.

Without knox, I can see the connection is properly reuse.

With Knox, the client use the same http connection, but I can see in gateway.log a lot of checks :

2017-09-12 15:34:09,939 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:10,955 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:11,997 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:12,258 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:12,276 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:13,288 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:14,301 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:15,320 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:16,334 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:17,289 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:17,323 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:17,446 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:17,459 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:18,472 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:19,490 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:19,531 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:19,539 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true
2017-09-12 15:34:20,560 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true

And I can see on my servlet and with tcpdump that there is renegotiations on each call.

I don't understand why the token is not kept by knox to prevent renegociation.

Any idea ?

Thanks in advance,

Alex

Don't have an account?
Coming from Hortonworks? Activate your account here