In a rewritten UI (namely YARN UI), knox is what is used as logged in user, and not the user that was logging into Knox with the basicAuth that was configured. So, the UIs shows too much (e.g. all apps, and all logs instead of only the user's).
For other services (like Oozie where a doAs is added by Knox), it is fine.
Having the "knox" user then seems to be forwarded to other UIs instead of the logged in user principal for basic rewrite stuff.
I would like to expose other web resources through Knox (for benefiting from the gateway features, like auditing) and this behavior is exposing too much stuff out.
What to do to have the logged in user principal used for the services? Any SPI default implementation doing it?
Hi Phillipe. It sounds like you are exposing a custom REST API through Knox, is that correct? I have worked on something similar. You should be finding that that the 'doAs' parameter will be added to any request that is forwarded by Knox. In the UI code, you would then need to extract this username from the request to perform any authenticated actions e.g. in our case, perform a HBase Get or Put. I believe you would then need to add some proxy user configuration to your service as described here. In your case the superuser would be the one running the Yarn UI.
I hope that helps somewhat.
Hi Phillipe - By "rewritten UI" do you mean that you have written a custom YARN UI? The trusted proxy pattern used in Hadoop is very common and, as Adam mentions, Knox uses the doAs parameter to assert the identity of the authenticated user to the backend UI or REST API while authenticating itself as a known trusted proxy - knox. If you haven't implemented the trusted proxy then you will need to do so. If you are running a stock YARN UI like the resource manager UI and seeing this behavior then please file a JIRA for Apache Knox.
I think what you mean is that you just want to see the user logged on to Knox as the user shown in "Logged in as: " on the Yarn UI.
For this to work you need to set the Yarn property:
Hi, Is this issue resolved? I am facing the same issue. After authentication with AD user credentials its showing logged in as knox and I cant access the logs in YARN and HDFS UI and its giving me this error