Support Questions

Find answers, ask questions, and share your expertise

No value for effective user (PROXY_USER_NAME) in gateway-audit.log file.

avatar
Explorer

What does it mean if the gateway-audit.log does not show a value for the PROXY_USER_NAME audit log field when I make a successful REST API call to Knox/webhdfs? I am assuming there should always be a value in the log for the effective user (PROXY_USER_NAME)? [1]

Log file example:

17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Groups: []

17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||authorization|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| 

17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||dispatch|uri|http://namenode:50070/webhdfs/v1/?user.name=guest&op=LISTSTATUS|success|Response status: 200

17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response status: 200

refs: [1] http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Knox_Gateway_Admin_Guide/content/audit_lo...

1 ACCEPTED SOLUTION

avatar
Expert Contributor

The PROXY_USER_NAME is actually poorly named. This value is only populated if principal mapping within identity assertion is done to map the authenticated user to another username to proxy to the backend service. It should probably be called MAPPED_USER or something like that. See: http://knox.apache.org/books/knox-0-11-0/user-guide.html#Audit

View solution in original post

2 REPLIES 2

avatar
Expert Contributor

The PROXY_USER_NAME is actually poorly named. This value is only populated if principal mapping within identity assertion is done to map the authenticated user to another username to proxy to the backend service. It should probably be called MAPPED_USER or something like that. See: http://knox.apache.org/books/knox-0-11-0/user-guide.html#Audit

avatar
Explorer

Thank you for the quick response. matts