Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Knox logging in a knox and not as a user in rewritten UI

Knox logging in a knox and not as a user in rewritten UI

Explorer

In a rewritten UI (namely YARN UI), knox is what is used as logged in user, and not the user that was logging into Knox with the basicAuth that was configured. So, the UIs shows too much (e.g. all apps, and all logs instead of only the user's).

For other services (like Oozie where a doAs is added by Knox), it is fine.

Having the "knox" user then seems to be forwarded to other UIs instead of the logged in user principal for basic rewrite stuff.

I would like to expose other web resources through Knox (for benefiting from the gateway features, like auditing) and this behavior is exposing too much stuff out.

What to do to have the logged in user principal used for the services? Any SPI default implementation doing it?

4 REPLIES 4

Re: Knox logging in a knox and not as a user in rewritten UI

New Contributor

Hi Phillipe. It sounds like you are exposing a custom REST API through Knox, is that correct? I have worked on something similar. You should be finding that that the 'doAs' parameter will be added to any request that is forwarded by Knox. In the UI code, you would then need to extract this username from the request to perform any authenticated actions e.g. in our case, perform a HBase Get or Put. I believe you would then need to add some proxy user configuration to your service as described here. In your case the superuser would be the one running the Yarn UI.

I hope that helps somewhat.

Re: Knox logging in a knox and not as a user in rewritten UI

Contributor

Hi Phillipe - By "rewritten UI" do you mean that you have written a custom YARN UI? The trusted proxy pattern used in Hadoop is very common and, as Adam mentions, Knox uses the doAs parameter to assert the identity of the authenticated user to the backend UI or REST API while authenticating itself as a known trusted proxy - knox. If you haven't implemented the trusted proxy then you will need to do so. If you are running a stock YARN UI like the resource manager UI and seeing this behavior then please file a JIRA for Apache Knox.

Re: Knox logging in a knox and not as a user in rewritten UI

Super Collaborator

@Philippe Back

I think what you mean is that you just want to see the user logged on to Knox as the user shown in "Logged in as: " on the Yarn UI.

For this to work you need to set the Yarn property:

yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=true

to true.

Highlighted

Re: Knox logging in a knox and not as a user in rewritten UI

Explorer

Hi, Is this issue resolved? I am facing the same issue. After authentication with AD user credentials its showing logged in as knox and I cant access the logs in YARN and HDFS UI and its giving me this error 

User [knox] is not authorized to view the logs for container_e18_1566456018580_0002_01_000001 in log file [hclustd01.test.codex-ifabric.net_45454_1566456791784]

No logs available for container container_e18_1566456018580_0002_01_000001

Don't have an account?
Coming from Hortonworks? Activate your account here